34 research outputs found
STARNet: Sensor Trustworthiness and Anomaly Recognition via Approximated Likelihood Regret for Robust Edge Autonomy
Complex sensors such as LiDAR, RADAR, and event cameras have proliferated in
autonomous robotics to enhance perception and understanding of the environment.
Meanwhile, these sensors are also vulnerable to diverse failure mechanisms that
can intricately interact with their operation environment. In parallel, the
limited availability of training data on complex sensors also affects the
reliability of their deep learning-based prediction flow, where their
prediction models can fail to generalize to environments not adequately
captured in the training set. To address these reliability concerns, this paper
introduces STARNet, a Sensor Trustworthiness and Anomaly Recognition Network
designed to detect untrustworthy sensor streams that may arise from sensor
malfunctions and/or challenging environments. We specifically benchmark STARNet
on LiDAR and camera data. STARNet employs the concept of approximated
likelihood regret, a gradient-free framework tailored for low-complexity
hardware, especially those with only fixed-point precision capabilities.
Through extensive simulations, we demonstrate the efficacy of STARNet in
detecting untrustworthy sensor streams in unimodal and multimodal settings. In
particular, the network shows superior performance in addressing internal
sensor failures, such as cross-sensor interference and crosstalk. In diverse
test scenarios involving adverse weather and sensor malfunctions, we show that
STARNet enhances prediction accuracy by approximately 10% by filtering out
untrustworthy sensor streams. STARNet is publicly available at
\url{https://github.com/sinatayebati/STARNet}
Regularization in neural network optimization via trimmed stochastic gradient descent with noisy label
Regularization is essential for avoiding over-fitting to training data in
neural network optimization, leading to better generalization of the trained
networks. The label noise provides a strong implicit regularization by
replacing the target ground truth labels of training examples by uniform random
labels. However, it may also cause undesirable misleading gradients due to the
large loss associated with incorrect labels. We propose a first-order
optimization method (Label-Noised Trim-SGD) which combines the label noise with
the example trimming in order to remove the outliers. The proposed algorithm
enables us to impose a large label noise and obtain a better regularization
effect than the original methods. The quantitative analysis is performed by
comparing the behavior of the label noise, the example trimming, and the
proposed algorithm. We also present empirical results that demonstrate the
effectiveness of our algorithm using the major benchmarks and the fundamental
networks, where our method has successfully outperformed the state-of-the-art
optimization methods
Stateful Detection of Adversarial Reprogramming
Adversarial reprogramming allows stealing computational resources by
repurposing machine learning models to perform a different task chosen by the
attacker. For example, a model trained to recognize images of animals can be
reprogrammed to recognize medical images by embedding an adversarial program in
the images provided as inputs. This attack can be perpetrated even if the
target model is a black box, supposed that the machine-learning model is
provided as a service and the attacker can query the model and collect its
outputs. So far, no defense has been demonstrated effective in this scenario.
We show for the first time that this attack is detectable using stateful
defenses, which store the queries made to the classifier and detect the
abnormal cases in which they are similar. Once a malicious query is detected,
the account of the user who made it can be blocked. Thus, the attacker must
create many accounts to perpetrate the attack. To decrease this number, the
attacker could create the adversarial program against a surrogate classifier
and then fine-tune it by making few queries to the target model. In this
scenario, the effectiveness of the stateful defense is reduced, but we show
that it is still effective