115,590 research outputs found
Improving Network Robustness against Adversarial Attacks with Compact Convolution
Though Convolutional Neural Networks (CNNs) have surpassed human-level
performance on tasks such as object classification and face verification, they
can easily be fooled by adversarial attacks. These attacks add a small
perturbation to the input image that causes the network to misclassify the
sample. In this paper, we focus on neutralizing adversarial attacks by compact
feature learning. In particular, we show that learning features in a closed and
bounded space improves the robustness of the network. We explore the effect of
L2-Softmax Loss, that enforces compactness in the learned features, thus
resulting in enhanced robustness to adversarial perturbations. Additionally, we
propose compact convolution, a novel method of convolution that when
incorporated in conventional CNNs improves their robustness. Compact
convolution ensures feature compactness at every layer such that they are
bounded and close to each other. Extensive experiments show that Compact
Convolutional Networks (CCNs) neutralize multiple types of attacks, and perform
better than existing methods in defending adversarial attacks, without
incurring any additional training overhead compared to CNNs
Evaluating and Improving Adversarial Robustness of Machine Learning-Based Network Intrusion Detectors
Machine learning (ML), especially deep learning (DL) techniques have been
increasingly used in anomaly-based network intrusion detection systems (NIDS).
However, ML/DL has shown to be extremely vulnerable to adversarial attacks,
especially in such security-sensitive systems. Many adversarial attacks have
been proposed to evaluate the robustness of ML-based NIDSs. Unfortunately,
existing attacks mostly focused on feature-space and/or white-box attacks,
which make impractical assumptions in real-world scenarios, leaving the study
on practical gray/black-box attacks largely unexplored.
To bridge this gap, we conduct the first systematic study of the
gray/black-box traffic-space adversarial attacks to evaluate the robustness of
ML-based NIDSs. Our work outperforms previous ones in the following aspects:
(i) practical-the proposed attack can automatically mutate original traffic
with extremely limited knowledge and affordable overhead while preserving its
functionality; (ii) generic-the proposed attack is effective for evaluating the
robustness of various NIDSs using diverse ML/DL models and non-payload-based
features; (iii) explainable-we propose an explanation method for the fragile
robustness of ML-based NIDSs. Based on this, we also propose a defense scheme
against adversarial attacks to improve system robustness. We extensively
evaluate the robustness of various NIDSs using diverse feature sets and ML/DL
models. Experimental results show our attack is effective (e.g., >97% evasion
rate in half cases for Kitsune, a state-of-the-art NIDS) with affordable
execution cost and the proposed defense method can effectively mitigate such
attacks (evasion rate is reduced by >50% in most cases).Comment: This article has been accepted for publication by IEEE JSA
Characterizing and Predicting the Robustness of Power-law Networks
Power-law networks such as the Internet, terrorist cells, species
relationships, and cellular metabolic interactions are susceptible to node
failures, yet maintaining network connectivity is essential for network
functionality. Disconnection of the network leads to fragmentation and, in some
cases, collapse of the underlying system. However, the influences of the
topology of networks on their ability to withstand node failures are poorly
understood. Based on a study of the response of 2,000 power-law networks to
node failures, we find that networks with higher nodal degree and clustering
coefficient, lower betweenness centrality, and lower variability in path length
and clustering coefficient maintain their cohesion better during such events.
We also find that network robustness, i.e., the ability to withstand node
failures, can be accurately predicted a priori for power-law networks across
many fields. These results provide a basis for designing new, more robust
networks, improving the robustness of existing networks such as the Internet
and cellular metabolic pathways, and efficiently degrading networks such as
terrorist cells
Achieving Adversarial Robustness via Sparsity
Network pruning has been known to produce compact models without much
accuracy degradation. However, how the pruning process affects a network's
robustness and the working mechanism behind remain unresolved. In this work, we
theoretically prove that the sparsity of network weights is closely associated
with model robustness. Through experiments on a variety of adversarial pruning
methods, we find that weights sparsity will not hurt but improve robustness,
where both weights inheritance from the lottery ticket and adversarial training
improve model robustness in network pruning. Based on these findings, we
propose a novel adversarial training method called inverse weights inheritance,
which imposes sparse weights distribution on a large network by inheriting
weights from a small network, thereby improving the robustness of the large
network
Training for Faster Adversarial Robustness Verification via Inducing ReLU Stability
We explore the concept of co-design in the context of neural network
verification. Specifically, we aim to train deep neural networks that not only
are robust to adversarial perturbations but also whose robustness can be
verified more easily. To this end, we identify two properties of network models
- weight sparsity and so-called ReLU stability - that turn out to significantly
impact the complexity of the corresponding verification task. We demonstrate
that improving weight sparsity alone already enables us to turn computationally
intractable verification problems into tractable ones. Then, improving ReLU
stability leads to an additional 4-13x speedup in verification times. An
important feature of our methodology is its "universality," in the sense that
it can be used with a broad range of training procedures and verification
approaches
Distributed Radio Interferometric Calibration
Increasing data volumes delivered by a new generation of radio
interferometers require computationally efficient and robust calibration
algorithms. In this paper, we propose distributed calibration as a way of
improving both computational cost as well as robustness in calibration. We
exploit the data parallelism across frequency that is inherent in radio
astronomical observations that are recorded as multiple channels at different
frequencies. Moreover, we also exploit the smoothness of the variation of
calibration parameters across frequency. Data parallelism enables us to
distribute the computing load across a network of compute agents. Smoothness in
frequency enables us reformulate calibration as a consensus optimization
problem. With this formulation, we enable flow of information between compute
agents calibrating data at different frequencies, without actually passing the
data, and thereby improving robustness. We present simulation results to show
the feasibility as well as the advantages of distributed calibration as opposed
to conventional calibration.Comment: MNRAS Accepted 2015 March 13. Received 2015 January 28; in original
form 2014 November 6, low resolution figure
Light-weight Head Pose Invariant Gaze Tracking
Unconstrained remote gaze tracking using off-the-shelf cameras is a
challenging problem. Recently, promising algorithms for appearance-based gaze
estimation using convolutional neural networks (CNN) have been proposed.
Improving their robustness to various confounding factors including variable
head pose, subject identity, illumination and image quality remain open
problems. In this work, we study the effect of variable head pose on machine
learning regressors trained to estimate gaze direction. We propose a novel
branched CNN architecture that improves the robustness of gaze classifiers to
variable head pose, without increasing computational cost. We also present
various procedures to effectively train our gaze network including transfer
learning from the more closely related task of object viewpoint estimation and
from a large high-fidelity synthetic gaze dataset, which enable our ten times
faster gaze network to achieve competitive accuracy to its current
state-of-the-art direct competitor.Comment: 9 pages, IEEE Conference on Computer Vision and Pattern Recognition
Worksho
Adversarial Collaborative Auto-encoder for Top-N Recommendation
During the past decade, model-based recommendation methods have evolved from
latent factor models to neural network-based models. Most of these techniques
mainly focus on improving the overall performance, such as the root mean square
error for rating predictions and hit ratio for top-N recommendation, where the
users' feedback is considered as the ground-truth. However, in real-world
applications, the users' feedback is possibly contaminated by imperfect user
behaviours, namely, careless preference selection. Such data contamination
poses challenges on the design of robust recommendation methods. In this work,
to address the above issue, we propose a general adversial training framework
for neural network-based recommendation models, which improves both the model
robustness and the overall performance. We point out the tradeoffs between
performance and robustness enhancement with detailed instructions on how to
strike a balance. Specifically, we implement our approach on the collaborative
auto-encoder, followed by experiments on three public available datasets:
MovieLens-1M, Ciao, and FilmTrust. We show that our approach outperforms highly
competitive state-of-the-art recommendation methods. In addition, we carry out
a thorough analysis on the noise impacts, as well as the complex interactions
between model nonlinearity and noise levels. Through simple modifications, our
adversarial training framework can be applied to a host of neural network-based
models whose robustness and performance are expected to be both enhanced
Improving Robustness of Neural Dialog Systems in a Data-Efficient Way with Turn Dropout
Neural network-based dialog models often lack robustness to anomalous,
out-of-domain (OOD) user input which leads to unexpected dialog behavior and
thus considerably limits such models' usage in mission-critical production
environments. The problem is especially relevant in the setting of dialog
system bootstrapping with limited training data and no access to OOD examples.
In this paper, we explore the problem of robustness of such systems to
anomalous input and the associated to it trade-off in accuracies on seen and
unseen data. We present a new dataset for studying the robustness of dialog
systems to OOD input, which is bAbI Dialog Task 6 augmented with OOD content in
a controlled way. We then present turn dropout, a simple yet efficient negative
sampling-based technique for improving robustness of neural dialog models. We
demonstrate its effectiveness applied to Hybrid Code Network-family models
(HCNs) which reach state-of-the-art results on our OOD-augmented dataset as
well as the original one. Specifically, an HCN trained with turn dropout
achieves state-of-the-art performance of more than 75% per-utterance accuracy
on the augmented dataset's OOD turns and 74% F1-score as an OOD detector.
Furthermore, we introduce a Variational HCN enhanced with turn dropout which
achieves more than 56.5% accuracy on the original bAbI Task 6 dataset, thus
outperforming the initially reported HCN's result.Comment: NeurIPS 2018 workshop on Conversational A
- …