Towards Bridging the gap between Empirical and Certified Robustness against Adversarial Examples

The current state-of-the-art defense methods against adversarial examples typically focus on improving either empirical or certified robustness. Among them, adversarially trained (AT) models produce empirical state-of-the-art defense against adversarial examples without providing any robustness guarantees for large classifiers or higher-dimensional inputs. In contrast, existing randomized smoothing based models achieve state-of-the-art certified robustness while significantly degrading the empirical robustness against adversarial examples. In this paper, we propose a novel method, called \emph{Certification through Adaptation}, that transforms an AT model into a randomized smoothing classifier during inference to provide certified robustness for $\ell_2$ norm without affecting their empirical robustness against adversarial attacks. We also propose \emph{Auto-Noise} technique that efficiently approximates the appropriate noise levels to flexibly certify the test examples using randomized smoothing technique. Our proposed \emph{Certification through Adaptation} with \emph{Auto-Noise} technique achieves an \textit{average certified radius (ACR) scores} up to $1.102$ and $1.148$ respectively for CIFAR-10 and ImageNet datasets using AT models without affecting their empirical robustness or benign accuracy. Therefore, our paper is a step towards bridging the gap between the empirical and certified robustness against adversarial examples by achieving both using the same classifier.Comment: An abridged version of this work has been presented at ICLR 2021 Workshop on Security and Safety in Machine Learning Systems: https://aisecure-workshop.github.io/aml-iclr2021/papers/2.pd

Covariate Shift Adaptation for Adversarially Robust Classifier

We show that adaptive batch normalization (BN) technique that involves re-estimating the BN parameters during inference, can significantly improve the robustness of adversarially trained models for any random perturbations, including the Gaussian noise. This simple finding enables us to transform an adversarially trained model into a randomized smoothing classifier to provide certified robustness for l2 norm. Moreover, we achieve l2 certified robustness even for adversarially trained models, learned using l∞-bounded adversaries. Further, adaptive BN significantly improves robustness against common corruptions, without any detrimental effect on their performance against adversarial attacks. This enables us to achieve both adversarial and corruption robustness using the same classifier

ROBUSTNESS AND UNCERTAINTY ESTIMATION FOR DEEP NEURAL NETWORKS

Ph.DDOCTOR OF PHILOSOPHY (SOC

Approximate Manifold Defense Against Multiple Adversarial Perturbations

International Joint Conference on Neural Network

Robustness for Adversarial ⍴≥1 Perturbations

NeurIPS 2019 Workshop on Machine Learning with Guarantee

Compact Feature Representation for Unsupervised Ood Detection

Distributional mismatch between training and test data may cause the remote sensing models to behave in unpredictable manner, thus reducing the trustworthiness of such models. Most existing methods for out-of-distribution (OOD) detection rely on availability of OOD samples during training. However, access to OOD data during training is counter intuitive and may be impractical sometimes. Considering this, we propose an unsupervised OOD detection model that does not require training OOD data. The proposed method works by projecting the in-domain samples as a union of 1-dimensional subspaces. Due to the compact feature representation of in-domain samples, OOD samples are less likely to occupy the same feature space, thus they are easily identified. Experimental results demonstrate the capability of the proposed method to detect OOD samples

Recognizing & Interpreting Indian Sign Language Gesture for Human Robot Interaction

This paper describes a novel approach towards recognizing of Indian Sign Language (ISL) gestures for Humanoid Robot Interaction (HRI). An extensive approach is being introduced for classification of ISL gesture which imparts an elegant way of interaction between humanoid robot HOAP-2 and human being. ISL gestures are being considered as a communicating agent for humanoid robot which is being used in this context explicitly. It involves different image processing techniques followed by a generic algorithm for feature extraction process. The classification technique deals with the Euclidean distance metric. The concrete HRI system has been established for initiation based learning mechanism. The Real time robotics simulation software, WEBOTS has been adopted to simulate the classified ISL gestures on HOAP-2 robot. The JAVA based software has been developed to deal with the entire HRI process.</p