5 research outputs found
Can You Hear Me Now? Sensitive Comparisons of Human and Machine Perception
The rise of machine-learning systems that process sensory input has brought
with it a rise in comparisons between human and machine perception. But such
comparisons face a challenge: Whereas machine perception of some stimulus can
often be probed through direct and explicit measures, much of human perceptual
knowledge is latent, incomplete, or unavailable for explicit report. Here, we
explore how this asymmetry can cause such comparisons to misestimate the
overlap in human and machine perception. As a case study, we consider human
perception of \textit{adversarial speech} -- synthetic audio commands that are
recognized as valid messages by automated speech-recognition systems but that
human listeners reportedly hear as meaningless noise. In five experiments, we
adapt task designs from the human psychophysics literature to show that even
when subjects cannot freely transcribe such speech commands (the previous
benchmark for human understanding), they often can demonstrate other forms of
understanding, including discriminating adversarial speech from closely matched
non-speech (Experiments 1--2), finishing common phrases begun in adversarial
speech (Experiments 3--4), and solving simple math problems posed in
adversarial speech (Experiment 5) -- even for stimuli previously described as
unintelligible to human listeners. We recommend the adoption of such "sensitive
tests" when comparing human and machine perception, and we discuss the broader
consequences of such approaches for assessing the overlap between systems.Comment: 24 pages; 4 figure
Designing and Evaluating Physical Adversarial Attacks and Defenses for Machine Learning Algorithms
Studies show that state-of-the-art deep neural networks (DNNs) are vulnerable to adversarial examples, resulting from small-magnitude perturbations added to the input in a calculated fashion. These perturbations induce mistakes in the network's output. However, despite the large interest and numerous works, there have only been limited studies on the impact of adversarial attacks in the physical world. Furthermore, these studies lack well-developed, robust methodologies for attacking real physical systems.
In this dissertation, we first explore the technical requirements for generating physical adversarial inputs through the manipulation of physical objects. Based on our analysis, we design a new adversarial attack algorithm, Robust Physical Perturbations (RPP) that consistently computes the necessary modifications to ensure the modified object remains adversarial across numerous varied viewpoints. We show that the RPP attack results in physical adversarial inputs for classification tasks as well as object detection tasks, which, prior to our work, were considered to be resistant.
We, then, develop a defensive technique, robust feature augmentation, to mitigate the effect of adversarial inputs, both digitally and physically. We hypothesize the input to a machine learning algorithm contains predictive feature information that a bounded adversary is unable to manipulate in order to cause classification errors. By identifying and extracting this adversarially robust feature information, we can obtain evidence of the possible set of correct output labels and adjust the classification decision accordingly. As adversarial inputs are a human-defined phenomenon, we utilize human-recognizable features to identify adversarially robust, predictive feature information for a given problem domain. Due to the safety-critical nature of autonomous driving, we focus our study on traffic sign classification and localization tasks.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttps://deepblue.lib.umich.edu/bitstream/2027.42/153373/1/keykholt_1.pd