To see the other types of publications on this topic, follow the link: Adversarial Attacker.
Dissertations / Theses on the topic 'Adversarial Attacker'
Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles
Consult the top 32 dissertations / theses for your research on the topic 'Adversarial Attacker.'
Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.
You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.
Browse dissertations / theses on a wide variety of disciplines and organise your bibliography correctly.
1
Ammouri, Kevin. "Deep Reinforcement Learning for Temperature Control in Buildings and Adversarial Attacks." Thesis, KTH, Skolan för elektroteknik och datavetenskap (EECS), 2021. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-301052.
Full textAbstract:
Heating, Ventilation and Air Conditioning (HVAC) systems in buildings are energy consuming and traditional methods used for building control results in energy losses. The methods cannot account for non-linear dependencies in the thermal behaviour. Deep Reinforcement Learning (DRL) is a powerful method for reaching optimal control in many different control environments. DRL utilizes neural networks to approximate the optimal actions to take given that the system is in a given state. Therefore, DRL is a promising method for building control and this fact is highlighted by several studies. However, neural network polices are known to be vulnerable to adversarial attacks, which are small, indistinguishable changes to the input, which make the network choose a sub-optimal action. Two of the main approaches to attack DRL policies are: (1) the Fast Gradient Sign Method, which uses the gradients of the control agent’s network to conduct the attack; (2) to train a a DRL-agent with the goal to minimize performance of control agents. The aim of this thesis is to investigate different strategies for solving the building control problem with DRL using the building simulator IDA ICE. This thesis is also going to use the concept of adversarial machine learning by applying the attacks on the agents controlling the temperature inside the building. We first built a DRL architecture to learn how to efficiently control temperature in a building. Experiments demonstrate that exploration of the agent plays a crucial role in the training of the building control agent, and one needs to fine-tune the exploration strategy in order to achieve satisfactory performance. Finally, we tested the susceptibility of the trained DRL controllers to adversarial attacks. These tests showed, on average, that attacks trained using DRL methods have a larger impact on building control than those using FGSM, while random perturbation have almost null impact.<br>Ventilationssystem i byggnader är energiförbrukande och traditionella metoder som används för byggnadskontroll resulterar i förlust av energisparande. Dessa metoder kan inte ta hänsyn till icke-linjära beroenden i termisk beteenden. Djup förstärkande inlärning (DRL) är en kraftfull metod för att uppnå optimal kontroll i många kontrollmiljöer. DRL använder sig av neurala nätverk för att approximera optimala val som kan tas givet att systemet befinner sig i en viss stadie. Därför är DRL en lovande metod för byggnadskontroll och detta faktumet är markerat av flera studier. Likväl, neurala nätverk i allmänhet är kända för att vara svaga mot adversarial attacker, vilket är små ändringar i inmatningen, som gör att neurala nätverket väljer en åtgärd som är suboptimal. Syftet med denna anvhandling är att undersöka olika strategier för att lösa byggnadskontroll-problemet med DRL genom att använda sig av byggnadssimulatorn IDA ICE. Denna avhandling kommer också att använda konceptet av adversarial machine learning för att attackera agenterna som kontrollerar temperaturen i byggnaden. Det finns två olika sätt att attackera neurala nätverk: (1) Fast Gradient Sign Method, som använder gradienterna av kontrollagentens nätverk för att utföra sin attack; (2) träna en inlärningsagent med DRL med målet att minimera kontrollagenternas prestanda. Först byggde vi en DRL-arkitektur som lärde sig kontrollera temperaturen i en byggad. Experimenten visar att utforskning av agenten är en grundläggande faktor för träningen av kontrollagenten och man måste finjustera utforskningen av agenten för att nå tillfredsställande prestanda. Slutligen testade vi känsligheten av de tränade DRL-agenterna till adversarial attacker. Dessa test visade att i genomsnitt har det större påverkan på kontrollagenterna att använda DRL metoder än att använda sig av FGSM medans att attackera helt slumpmässigt har nästan ingen påverkan.
2
Akdemir, Kahraman D. "Error Detection Techniques Against Strong Adversaries." Digital WPI, 2010. https://digitalcommons.wpi.edu/etd-dissertations/406.
Full textAbstract:
"Side channel attacks (SCA) pose a serious threat on many cryptographic devices and are shown to be effective on many existing security algorithms which are in the black box model considered to be secure. These attacks are based on the key idea of recovering secret information using implementation specific side-channels. Especially active fault injection attacks are very effective in terms of breaking otherwise impervious cryptographic schemes. Various countermeasures have been proposed to provide security against these attacks. Double-Data-Rate (DDR) computation, dual-rail encoding, and simple concurrent error detection (CED) are the most popular of these solutions. Even though these security schemes provide sufficient security against weak adversaries, they can be broken relatively easily by a more advanced attacker. In this dissertation, we propose various error detection techniques that target strong adversaries with advanced fault injection capabilities. We first describe the advanced attacker in detail and provide its characteristics. As part of this definition, we provide a generic metric to measure the strength of an adversary. Next, we discuss various techniques for protecting finite state machines (FSMs) of cryptographic devices against active fault attacks. These techniques mainly depend on nonlinear robust codes and physically unclonable functions (PUFs). We show that due to the nonuniform behavior of FSM variables, securing FSMs using nonlinear codes is an important and difficult problem. As a solution to this problem, we propose error detection techniques based on nonlinear codes with different randomization methods. We also show how PUFs can be utilized to protect a class of FSMs. This solution provides security on the physical level as well as the logical level. In addition, for each technique, we provide possible hardware realizations and discuss area/security performance. Furthermore, we provide an error detection technique for protecting elliptic curve point addition and doubling operations against active fault attacks. This technique is based on nonlinear robust codes and provides nearly perfect error detection capability (except with exponentially small probability). We also conduct a comprehensive analysis in which we apply our technique to different elliptic curves (i.e. Weierstrass and Edwards) over different coordinate systems (i.e. affine and projective). "
3
Worzyk, Steffen [Verfasser], Oliver [Akademischer Betreuer] Kramer, and Mike [Akademischer Betreuer] Preuss. "Adversarials−1: detecting adversarial inputs with internal attacks / Steffen Worzyk ; Oliver Kramer, Mike Preuss." Oldenburg : BIS der Universität Oldenburg, 2020. http://d-nb.info/1211724522/34.
Full text
4
Fält, Pontus. "ADVERSARIAL ATTACKS ON FACIAL RECOGNITION SYSTEMS." Thesis, Umeå universitet, Institutionen för datavetenskap, 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:umu:diva-175887.
Full textAbstract:
In machine learning, neural networks have shown to achieve state-of-the-art performance within image classification problems. Though, recent work has brought up a threat to these high performing networks in the form of adversarial attacks. These attacks fool the networks by applying small and hardly perceivable perturbations and questions the reliability of neural networks. This paper will analyze and compare the behavior of adversarial attacks where reliability and safety is crucial, within facial recognition systems.
5
Fan, Zijian. "Applying Generative Adversarial Networks for the Generation of Adversarial Attacks Against Continuous Authentication." Thesis, KTH, Skolan för elektroteknik och datavetenskap (EECS), 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-289634.
Full textAbstract:
Cybersecurity has been a hot topic over the past decades with lots of approaches being proposed to secure our private information. One of the emerging approaches in security is continuous authentication, in which the computer system is authenticating the user by monitoring the user behavior during the login session. Although the research of continuous authentication has got a significant achievement, the security of state-of-the-art continuous authentication systems is far from perfect. In this thesis, we explore the ability of classifiers used in continuous authentication and examine whether they can be bypassed by generated samples of user behavior from generative models. In our work, we considered four machine learning classifiers as the continuous authentication system: One-Class support vector machine, support vector machine, Gaussian mixture model and an artificial neural network. Furthermore, we considered three generative models used to mimic the user behavior: generative adversarial network, kernel density estimation generator, and MMSE-based generator. The considered classifiers and generative models were tested on two continuous authentication datasets. The result shows that generative adversarial networks achieved superior results with more than 50samples passing continuous authentication.<br>Cybersäkerhet har varit ett hett ämne under de senaste decennierna med många tillvägagångssätt skapats för att säkra vår privata information. En av de nya tillvägagångssätten inom säkerhet är kontinuerlig autentisering där datorsystemet autentiserar användaren genom att övervaka dess beteende under inloggningssessionen. Trots att forskningen om kontinuerlig autentisering har fått betydande framsteg, är säkerheten för toppmoderna kontinuerliga autentiseringssystem långt ifrån perfekt. I denna avhandling undersöker vi förmågan hos klassificerare som används vid kontinuerlig autentisering och undersöker om de kan luras med hjälp av generativa modeller. I vårt arbete använde vi fyra maskininlärningsklassificerare som det kontinuerliga autentiseringssystemet: En-klass stödvektormaskin, stödvektormaskin, Gaussian-blandningsmodell och ett artificiellt neuronnät. Vidare övervägde vi tre generativa modeller som användes för att härma användarens beteende: generativt motsatt nätverk, kärnatäthetsuppskattningsgenerator och MMSE-baserad generator. De betraktade klassificerarna och generativa modellerna testades på två dataset för kontinuerlig autentisering. Resultatet visar att generativa motverkande nätverk uppnådde överlägsna resultat med mer än 50% av de genererade proverna som passerade kontinuerlig autentisering.
6
Kufel, Maciej. "Adversarial Attacks against Behavioral-based Continuous Authentication." Thesis, KTH, Skolan för elektroteknik och datavetenskap (EECS), 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:kth:diva-285537.
Full textAbstract:
Online identity theft and session hijacking attacks have become a major hazardin recent years and are expected to become more frequent in the years to come.Unlike the traditional authentication methods, continuous authentication based onthe characterization of user behavior in interactions with the computer system allowsto continuously verify the user’s identity and mitigates the risk of such forms ofmalicious access. However, recent developments in the field of generative modelingcan pose a significant threat to behavioral-based continuous authentication. Agenerative model is able to generate data with certain desired characteristics andcould be used to imitate a user’s behavior, allowing an attacker to bypass continuousauthentication and perform an attack without being detected. In this thesis, weinvestigate this threat and carry out adversarial attacks against behavioral-basedcontinuous authentication with the use of generative models. In our attack setup, anattacker has access to the data used to train the considered machine learning-basedcontinuous authentication classifiers. The data is used to train generative models,which then generate adversarial samples aimed at impersonating an authorized user.We focus on three explicit generative models: Kernel Density Estimation, GaussianMixture Models and Variational Autoencoders. We test our attacks based on keystrokedynamics and smartphone touch dynamics. The chosen generative models achievedgreat results, where the median amount of adversarial samples, which bypassed thecontinuous authentication systems ranged from 70 to 100% for keystroke dynamicsand from 41 to 99% for smartphone touch dynamics. The results also show the relationbetween the size of the training data used for generative models and their performance.Moreover, we observed that the generated adversarial samples exhibited only a slightlyhigher variance than that of the original samples, which indicates that the imitationattack indeed resembled the authenticated user’s movements. The vulnerability ofbehavioral-based continuous authentication to adversarial attacks discovered in this study calls for further research aimed at improving the existing security solutions.<br>Identitetsstöld och kapning av sessioner har blivit en stor fara under de senaste årenoch förväntas öka under de kommande åren. Kontinuerlig autentisering baserad påkarakteriseringen av användarbeteende i interaktioner med systemet, till skillnad frånde traditionella autentiseringsmetoderna, gör det möjligt att kontinuerligt verifieraanvändarens identitet och minskar risken för sådana former av skadlig åtkomst.Den senaste utvecklingen på området generativ modellering kan emellertid utgöraett betydande hot mot beteendebaserad kontinuerlig autentisering. En generativmodell kan generera data med vissa önskade egenskaper och kan användas för attimitera en användares beteende, och därmed göra det möjligt för en angripare attkringgå kontinuerlig autentisering och utföra en attack utan att upptäckas. I dennaavhandling utreder vi detta hot och genomför illvillig attacker mot beteendebaseradkontinuerlig autentisering med hjälp av generativa modeller. Vi betraktar enangripare som har tillgång till de träningsdata som används vid inlärningen av denkontinuerliga autentiserings-klassificeraren. Uppgifterna används för att utbildagenerativa modeller som sedan genererar illvillig stickprov som syftar till att härmaen auktoriserad användare. Vi fokuserar på tre explicita generativa modeller: KernelDensity Estimation, Gaussian Mixture Models och Variational Autoencoders. Vi testarvåra attacker mot kontinuerlig autentisering baserat på tangentbord skrivmönster ochsmartphone touch-dynamik. De valda generativa modellerna gav lovande resultat, därmedianmängden av illvillig stickprov som imiterar en användare som undvek upptäcktvarierade från 70 till 100% för tangentbord skrivmönster och från 41 till 99% försmartphone touch dynamics. Resultaten visar också den varierande andelen lyckaderesultat i takt med att träningsdata för en generativ modell minskar och inspekterarvariansen för de illvillig stickproven. Denna studie visar hur sårbar beteendebaseradkontinuerlig autentisering är för illvillig attacker och bör leda till ytterligare forskningsom syftar till att förbättra de befintliga säkerhetslösningarna.
7
Burago, Igor. "Automated Attacks on Compression-Based Classifiers." Thesis, University of Oregon, 2014. http://hdl.handle.net/1794/18439.
Full textAbstract:
Methods of compression-based text classification have proven their usefulness for various applications. However, in some classification problems, such as spam filtering, a classifier confronts one or many adversaries willing to induce errors in the classifier's judgment on certain kinds of input. In this thesis, we consider the problem of finding thrifty strategies for character-based text modification that allow an adversary to revert classifier's verdict on a given family of input texts. We propose three statistical statements of the problem that can be used by an attacker to obtain transformation models which are optimal in some sense. Evaluating these three techniques on a realistic spam corpus, we find that an adversary can transform a spam message (detectable as such by an entropy-based text classifier) into a legitimate one by generating and appending, in some cases, as few additional characters as 20% of the original length of the message.
8
Li, Yuan Man. "SIFT-based image copy-move forgery detection and its adversarial attacks." Thesis, University of Macau, 2018. http://umaclib3.umac.mo/record=b3952093.
Full text
9
Sun, Michael(Michael Z. ). "Local approximations of deep learning models for black-box adversarial attacks." Thesis, Massachusetts Institute of Technology, 2019. https://hdl.handle.net/1721.1/121687.
Full textAbstract:
This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.<br>Thesis: M. Eng., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2019<br>Cataloged from student-submitted PDF version of thesis.<br>Includes bibliographical references (pages 45-47).<br>We study the problem of generating adversarial examples for image classifiers in the black-box setting (when the model is available only as an oracle). We unify two seemingly orthogonal and concurrent lines of work in black-box adversarial generation: query-based attacks and substitute models. In particular, we reinterpret adversarial transferability as a strong gradient prior. Based on this unification, we develop a method for integrating model-based priors into the generation of black-box attacks. The resulting algorithms significantly improve upon the current state-of-the-art in black-box adversarial attacks across a wide range of threat models.<br>by Michael Sun.<br>M. Eng.<br>M.Eng. Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science
10
Itani, Aashish. "COMPARISON OF ADVERSARIAL ROBUSTNESS OF ANN AND SNN TOWARDS BLACKBOX ATTACKS." OpenSIUC, 2021. https://opensiuc.lib.siu.edu/theses/2864.
Full textAbstract:
n recent years, the vulnerability of neural networks to adversarial samples has gained wide attention from machine learning and deep learning communities. Addition of small and imperceptible perturbations to the input samples can cause neural network models to make incorrect prediction with high confidence. As the employment of neural networks on safety critical application is rising, this vulnerability of traditional neural networks to the adversarial samples demand for more robust alternative neural network models. Spiking Neural Network (SNN), is a special class of ANN, which mimics the brain functionality by using spikes for information processing. The known advantages of SNN include fast inference, low power consumption and biologically plausible information processing. In this work, we experiment on the adversarial robustness of the SNN as compared to traditional ANN, and figure out if SNN can be a candidate to solve the security problems faced by ANN.
11
Siddiqui, Abdul Jabbar. "Securing Connected and Automated Surveillance Systems Against Network Intrusions and Adversarial Attacks." Thesis, Université d'Ottawa / University of Ottawa, 2021. http://hdl.handle.net/10393/42345.
Full textAbstract:
In the recent years, connected surveillance systems have been witnessing an unprecedented
evolution owing to the advancements in internet of things and deep learning technologies. However,
vulnerabilities to various kinds of attacks both at the cyber network-level and at the physical worldlevel are also rising. This poses danger not only to the devices but also to human life and property. The goal of this thesis is to enhance the security of an internet of things, focusing on connected video-based surveillance systems, by proposing multiple novel solutions to address security issues at the cyber network-level and to defend such systems at the physical world-level.
In order to enhance security at the cyber network-level, this thesis designs and develops solutions to detect network intrusions in an internet of things such as surveillance cameras. The first solution is a novel method for network flow features transformation, named TempoCode. It introduces a temporal codebook-based encoding of flow features based on capturing the key patterns of benign traffic in a learnt temporal codebook. The second solution takes an unsupervised learning-based approach and proposes four methods to build efficient and adaptive ensembles of neural networks-based autoencoders for intrusion detection in internet of things such as surveillance cameras.
To address the physical world-level attacks, this thesis studies, for the first time to the best of
our knowledge, adversarial patches-based attacks against a convolutional neural network (CNN)-
based surveillance system designed for vehicle make and model recognition (VMMR). The connected video-based surveillance systems that are based on deep learning models such as CNNs
are highly vulnerable to adversarial machine learning-based attacks that could trick and fool the
surveillance systems. In addition, this thesis proposes and evaluates a lightweight defense solution
called SIHFR to mitigate the impact of such adversarial-patches on CNN-based VMMR systems,
leveraging the symmetry in vehicles’ face images.
The experimental evaluations on recent realistic intrusion detection datasets prove the effectiveness of the developed solutions, in comparison to state-of-the-art, in detecting intrusions of various
types and for different devices. Moreover, using a real-world surveillance dataset, we demonstrate
the effectiveness of the SIHFR defense method which does not require re-training of the target
VMMR model and adds only a minimal overhead. The solutions designed and developed in this
thesis shall pave the way forward for future studies to develop efficient intrusion detection systems
and adversarial attacks mitigation methods for connected surveillance systems such as VMMR.
12
Delvecchio, Matthew David. "Enhancing Communications Aware Evasion Attacks on RFML Spectrum Sensing Systems." Thesis, Virginia Tech, 2020. http://hdl.handle.net/10919/99792.
Full textAbstract:
Recent innovations in machine learning have paved the way for new capabilities in the field of radio frequency (RF) communications. Machine learning techniques such as reinforcement learning and deep neural networks (DNN) can be leveraged to improve upon traditional wireless communications methods so that they no longer require expertly-defined features. Simultaneously, cybersecurity and electronic warfare are growing areas of focus and concern in an increasingly technology-driven world. Privacy and confidentiality of communication links are both more important and more difficult than ever in the current high threat environment. RF machine learning (RFML) systems contribute to this threat as they have been shown to be successful in gleaning information from intercepted signals, through the use of learning-enabled eavesdroppers. This thesis focuses on a method of defense against such communications threats termed an adversarial evasion attack in which intelligently crafted perturbations of the RF signal are used to fool a DNN-enabled classifier, therefore securing the communications channel.
One often overlooked aspect of evasion attacks is the concept of maintaining intended use. In other words, while an adversarial signal, or more generally an adversarial example, should fool the DNN it is attacking, this should not come at the detriment to it's primary application. In RF communications, this manifests in the idea that the communications link must be successfully maintained with friendly receivers, even when executing an evasion attack against malicious receivers. This is a difficult scenario, made even more so by the nature of channel effects present in
over-the-air (OTA) communications, as is assumed in this work.
Previous work in this field has introduced a form of evasion attack for RFML systems called a communications aware attack that explicitly addresses the reliable communications aspect of the attack by training a separate DNN to craft adversarial signals; however, this work did not utilize the full RF processing chain and left residual indicators of the attack that could be leveraged for defensive capabilities. First, this thesis focuses on implementing forward error correction (FEC), an aspect present in most communications systems, in the training process of the attack. It is shown that introducing this into the training stage allows the communications aware attack to implicitly use the structure of the coding to create smarter and more efficient adversarial signals. Secondly, this thesis then addresses the fact that in previous work, the resulting adversarial signal exhibiting significant out-of-band frequency content, a limitation that can be used to render the attack ineffective if preprocessing at the attacked DNN is assumed. This thesis presents two novel approaches to solve this problem and eliminate the majority of side content in the attack. By doing so, the communications aware attack is more readily applicable to real-world scenarios.<br>Master of Science<br>Deep learning has started infiltrating many aspects of society from the military, to academia, to commercial vendors. Additionally, with the recent deployment of 5G technology, connectivity is more readily accessible than ever and an increasingly large number of systems will communicate with one another across the globe. However, cybersecurity and electronic warfare call into question the very notion of privacy and confidentiality of data and communication streams. Deep learning has further improved these intercepting capabilities. However, these deep learning systems have also been shown to be vulnerable to attack. This thesis exists at the nexus of these two problems, both machine learning and communication security. This work expands upon adversarial evasion attacks meant to help elude signal classification at a deep learning-enabled eavesdropper while still providing reliable communications to a friendly receiver. By doing so, this work both provides a new methodology that can be used to conceal communication information from unwanted parties while also highlighting the glaring vulnerabilities present in machine learning systems.
13
Gitzinger, Louison. "Surviving the massive proliferation of mobile malware." Thesis, Rennes 1, 2020. http://www.theses.fr/2020REN1S058.
Full textAbstract:
De nos jours, nous sommes entourés de périphériques intelligents autonomes qui interagissent avec de nombreux services dans le but d'améliorer notre niveau de vie. Ces périphériques font partie d'écosystèmes plus larges, dans lesquels de nombreuses entreprises collaborent pour faciliter la distribution d'applications entre les développeurs et les utilisateurs. Cependant, des personnes malveillantes en profitent illégalement pour infecter les appareils des utilisateurs avec des application malveillantes. Malgré tous les efforts mis en œuvre pour défendre ces écosystèmes, le taux de périphériques infectés par des malware est toujours en augmentation en 2020.Dans cette thèse, nous explorons trois axes de recherche dans le but d'améliorer globalement la détection de malwares dans l'écosystème Android. Nous démontrons d'abord que la précision des systèmes de détection basés sur le machine learning peuvent être améliorés en automatisant leur évaluation et en ré-utilisant le concept d'AutoML pour affiner les paramètres des algorithmes d'apprentissage. Nous proposons une approche pour créer automatiquement des variantes de malwares à partir de combinaisons de techniques d'évasion complexes pour diversifier les datasets de malwares expérimentaux dans le but de mettre à l'épreuve les systèmes de détection. Enfin, nous proposons des méthodes pour améliorer la qualité des datasets expérimentaux utilisés pour entrainer et tester les systèmes de détection<br>Nowadays, many of us are surrounded by smart devices that seamlessly operate interactively and autonomously together with multiple services to make our lives more comfortable. These smart devices are part of larger ecosystems, in which various companies collaborate to ease the distribution of applications between developers and users. However malicious attackers take advantage of them illegitimately to infect users' smart devices with malicious applications. Despite all the efforts made to defend these ecosystems, the rate of devices infected with malware is still increasing in 2020. In this thesis, we explore three research axes with the aim of globally improving malware detection in the Android ecosystem. We demonstrate that the accuracy of machine learning-based detection systems can be improved by automating their evaluation and by reusing the concept of AutoML to fine-tune learning algorithms parameters. We propose an approach to automatically create malware variants from combinations of complex evasion techniques to diversify experimental malware datasets in order to challenge existing detection systems. Finally, we propose methods to globally increase the quality of experimental datasets used to train and test detection systems
14
Kanerva, Anton, and Fredrik Helgesson. "On the Use of Model-Agnostic Interpretation Methods as Defense Against Adversarial Input Attacks on Tabular Data." Thesis, Blekinge Tekniska Högskola, Institutionen för datavetenskap, 2020. http://urn.kb.se/resolve?urn=urn:nbn:se:bth-20085.
Full textAbstract:
Context. Machine learning is a constantly developing subfield within the artificial intelligence field. The number of domains in which we deploy machine learning models is constantly growing and the systems using these models spread almost unnoticeably in our daily lives through different devices. In previous years, lots of time and effort has been put into increasing the performance of these models, overshadowing the significant risks of attacks targeting the very core of the systems, the trained machine learning models themselves. A specific attack with the aim of fooling the decision-making of a model, called the adversarial input attack, has almost exclusively been researched for models processing image data. However, the threat of adversarial input attacks stretches beyond systems using image data, to e.g the tabular domain which is the most common data domain used in the industry. Methods used for interpreting complex machine learning models can help humans understand the behavior and predictions of these complex machine learning systems. Understanding the behavior of a model is an important component in detecting, understanding and mitigating vulnerabilities of the model. Objectives. This study aims to reduce the research gap of adversarial input attacks and defenses targeting machine learning models in the tabular data domain. The goal of this study is to analyze how model-agnostic interpretation methods can be used in order to mitigate and detect adversarial input attacks on tabular data. Methods. The goal is reached by conducting three consecutive experiments where model interpretation methods are analyzed and adversarial input attacks are evaluated as well as visualized in terms of perceptibility. Additionally, a novel method for adversarial input attack detection based on model interpretation is proposed together with a novel way of defensively using feature selection to reduce the attack vector size. Results. The adversarial input attack detection showed state-of-the-art results with an accuracy over 86%. The proposed feature selection-based mitigation technique was successful in hardening the model from adversarial input attacks by reducing their scores by 33% without decreasing the performance of the model. Conclusions. This study contributes with satisfactory and useful methods for adversarial input attack detection and mitigation as well as methods for evaluating and visualizing the imperceptibility of attacks on tabular data.<br>Kontext. Maskininlärning är ett område inom artificiell intelligens som är under konstant utveckling. Mängden domäner som vi sprider maskininlärningsmodeller i växer sig allt större och systemen sprider sig obemärkt nära inpå våra dagliga liv genom olika elektroniska enheter. Genom åren har mycket tid och arbete lagts på att öka dessa modellers prestanda vilket har överskuggat risken för sårbarheter i systemens kärna, den tränade modellen. En relativt ny attack, kallad "adversarial input attack", med målet att lura modellen till felaktiga beslutstaganden har nästan uteslutande forskats på inom bildigenkänning. Men, hotet som adversarial input-attacker utgör sträcker sig utom ramarna för bilddata till andra datadomäner som den tabulära domänen vilken är den vanligaste datadomänen inom industrin. Metoder för att tolka komplexa maskininlärningsmodeller kan hjälpa människor att förstå beteendet hos dessa komplexa maskininlärningssystem samt de beslut som de tar. Att förstå en modells beteende är en viktig komponent för att upptäcka, förstå och mitigera sårbarheter hos modellen. Syfte. Den här studien försöker reducera det forskningsgap som adversarial input-attacker och motsvarande försvarsmetoder i den tabulära domänen utgör. Målet med denna studie är att analysera hur modelloberoende tolkningsmetoder kan användas för att mitigera och detektera adversarial input-attacker mot tabulär data. Metod. Det uppsatta målet nås genom tre på varandra följande experiment där modelltolkningsmetoder analyseras, adversarial input-attacker utvärderas och visualiseras samt där en ny metod baserad på modelltolkning föreslås för detektion av adversarial input-attacker tillsammans med en ny mitigeringsteknik där feature selection används defensivt för att minska attackvektorns storlek. Resultat. Den föreslagna metoden för detektering av adversarial input-attacker visar state-of-the-art-resultat med över 86% träffsäkerhet. Den föreslagna mitigeringstekniken visades framgångsrik i att härda modellen mot adversarial input attacker genom att minska deras attackstyrka med 33% utan att degradera modellens klassifieringsprestanda. Slutsats. Denna studie bidrar med användbara metoder för detektering och mitigering av adversarial input-attacker såväl som metoder för att utvärdera och visualisera svårt förnimbara attacker mot tabulär data.
15
Branlat, Matthieu. "Challenges to Adversarial Interplay Under High Uncertainty: Staged-World Study of a Cyber Security Event." The Ohio State University, 2011. http://rave.ohiolink.edu/etdc/view?acc_num=osu1316462733.
Full text
16
Marriott, Richard. "Data-augmentation with synthetic identities for robust facial recognition." Thesis, Lyon, 2020. http://www.theses.fr/2020LYSEC048.
Full textAbstract:
En 2014, l'utilisation des réseaux neuronaux profonds (RNP) a révolutionné la reconnaissance faciale (RF). Les RNP sont capables d'apprendre à extraire des images des représentations basées sur des caractéristiques qui sont discriminantes et robustes aux détails non pertinents. On peut dire que l'un des facteurs les plus importants qui limitent aujourd'hui les performances des algorithmes de RF sont les données utilisées pour les entraîner. Les ensembles de données d'images de haute qualité qui sont représentatives des conditions de test du monde réel peuvent être difficiles à collecter. Une solution possible est d'augmenter les ensembles de données avec des images synthétiques. Cette option est récemment devenue plus viable suite au développement des « generative adversarial networks » (GAN) qui permettent de générer des échantillons de données synthétiques très réalistes. Cette thèse étudie l'utilisation des GAN pour augmenter les ensembles de données FR. Elle examine la capacité des GAN à générer de nouvelles identités, et leur capacité à démêler l'identité des autres formes de variation des images. Enfin, un GAN intégrant un modèle 3D est proposé afin de démêler complètement la pose de l'identité. Il est démontré que les images synthétisées à l'aide du GAN 3D améliorent la reconnaissance des visages aux poses larges et une précision état de l'art est démontrée pour l'ensemble de données d'évaluation ``Cross-Pose LFW''.Le dernier chapitre de la thèse évalue l'une des utilisations plus néfastes des images synthétiques : l'attaque par morphing du visage. Ces attaques exploitent l'imprécision des systèmes de RF en manipulant les images de manière à ce qu'il puisse être faussement vérifié qu'elles appartiennent à plus d'une personne. Une évaluation des attaques par morphing de visage basées sur le GAN est fournie. Une nouvelle méthode de morphing basée sur le GAN est également présentée, qui minimise la distance entre l'image transformée et les identités originales dans un espace de caractéristiques biométriques. Une contre-mesure potentielle à ces attaques par morphing consiste à entraîner les réseaux FR en utilisant des identités synthétiques supplémentaires. Dans cette veine, l'effet de l'entraînement utilisant des données synthétiques GAN 3D sur le succès des attaques simulées de morphing facial est évalué<br>In 2014, use of deep neural networks (DNNs) revolutionised facial recognition (FR). DNNs are capable of learning to extract feature-based representations from images that are discriminative and robust to extraneous detail. Arguably, one of the most important factors now limiting the performance of FR algorithms is the data used to train them. High-quality image datasets that are representative of real-world test conditions can be difficult to collect. One potential solution is to augment datasets with synthetic images. This option recently became increasingly viable following the development of generative adversarial networks (GANs) which allow generation of highly realistic, synthetic data samples. This thesis investigates the use of GANs for augmentation of FR datasets. It looks at the ability of GANs to generate new identities, and their ability to disentangle identity from other forms of variation in images. Ultimately, a GAN integrating a 3D model is proposed in order to fully disentangle pose from identity. Images synthesised using the 3D GAN are shown to improve large-pose FR and a state-of-the-art accuracy is demonstrated for the challenging Cross-Pose LFW evaluation dataset.The final chapter of the thesis evaluates one of the more nefarious uses of synthetic images: the face-morphing attack. Such attacks exploit imprecision in FR systems by manipulating images such that they might be falsely verified as belonging to more than one person. An evaluation of GAN-based face-morphing attacks is provided. Also introduced is a novel, GAN-based morphing method that minimises the distance of the morphed image from the original identities in a biometric feature-space. A potential counter measure to such morphing attacks is to train FR networks using additional, synthetic identities. In this vein, the effect of training using synthetic, 3D GAN data on the success of simulated face-morphing attacks is evaluated
17
Chen, Yu-Sheng, and 陳育聖. "Adversarial Attack against Modeling Attack on PUFs." Thesis, 2019. http://ndltd.ncl.edu.tw/cgi-bin/gs32/gsweb.cgi/login?o=dnclcdr&s=id=%22107NCHU5394018%22.&searchmode=basic.
Full textAbstract:
碩士<br>國立中興大學<br>資訊科學與工程學系所<br>107<br>The Physical Unclonable Function (PUF) has been proposed for the identification and authentication of devices and cryptographic key generation. A strong PUF provides an extremely large number of device-specific challenge-response pairs (CRP) which can be used for identification. Unfortunately, the CRP mechanism is vulnerable to modeling attack, which uses machine learning (ML) algorithms to predict PUF responses with high accuracy. Many methods have been developed to strengthen strong PUFs with complicated hardware; however, recent studies show that they are still vulnerable by leveraging GPU-accelerated ML algorithms.
In this paper, we propose to deal with the problem from a different perspective. By modifying the CRP mechanism, a PUF can provide poison data such that an accurate model of the PUF under attack cannot be built by ML algorithms. Experimental results show that the proposed method provides an effective countermeasure against modeling attacks on PUFs.
18
Hsieh, Yi-Tung, and 謝義桐. "Detecting Geometric Transformation-based Adversarial Attack using Adversarial Matching Analysis." Thesis, 2019. http://ndltd.ncl.edu.tw/handle/7h2dqz.
Full textAbstract:
碩士<br>國立臺灣科技大學<br>資訊工程系<br>107<br>Deep Neural Networks has been continuously developing and progressing, and it
has achieved impressive results in many tasks. However, the robustness of the model
is not being attentive to. An adversarial attack is an attack that is undetectable and intentionally designed to make the model misclassification.
Different from previous studies, the adversarial attack based on geometric transformation without adversarial noise is not only more imperceptible but also make the effects of previous defense method not as well as expected. In this thesis, we propose a spatial transformed adversarial detector that treats the local pixel-transformed noise as a kind of image noise and uses image smoothing techniques to reduce the perturbations. By comparing the degree of matching between before and after smoothing is analyzed by adversarial matching analysis to detect adversarial example.
According to the results, our detector can achieve 86.05% of F1-measure. The main
contributions of the thesis are as follows: (a) Extracting matching anomaly features
through adversarial matching analysis; (b) Introduce a detection system that can detect geometric transformation-based adversarial attack early.
19
(8617635), Rehana Mahfuz. "Defending Against Adversarial Attacks Using Denoising Autoencoders." Thesis, 2020.
Find full textAbstract:
Gradient-based adversarial attacks on neural networks threaten extremely critical applications such as medical diagnosis and biometric authentication. These attacks use the gradient of the neural network to craft imperceptible perturbations to be added to the test data, in an attempt to decrease the accuracy of the network. We propose a defense to combat such attacks, which can be modified to reduce the training time of the network by as much as 71%, and can be further modified to reduce the training time of the defense by as much as 19%. Further, we address the threat of uncertain behavior on the part of the attacker, a threat previously overlooked in the literature that considers mostly white box scenarios. To combat uncertainty on the attacker's part, we train our defense with an ensemble of attacks, each generated with a different attack algorithm, and using gradients of distinct architecture types. Finally, we discuss how we can prevent the attacker from breaking the defense by estimating the gradient of the defense transformation.
20
(11178210), Li-Chi Chang. "Defending against Adversarial Attacks in Speaker Verification Systems." Thesis, 2021.
Find full textAbstract:
<p>With the advance of the
technologies of Internet of things, smart devices or virtual personal
assistants at home, such as Google Assistant, Apple Siri, and Amazon Alexa,
have been widely used to control and access different objects like door lock,
blobs, air conditioner, and even bank accounts, which makes our life
convenient. Because of its ease for operations, voice control becomes a main
interface between users and these smart devices. To make voice control more
secure, speaker verification systems have been researched to apply human voice
as biometrics to accurately identify a legitimate user and avoid the illegal
access. In recent studies, however, it has been shown that speaker verification
systems are vulnerable to different security attacks such as replay, voice
cloning, and adversarial attacks. Among all attacks, adversarial attacks are
the most dangerous and very challenging to defend. Currently, there is no known
method that can effectively defend against such an attack in speaker verification
systems.</p>
<p>The
goal of this project is to design and implement a defense system that is
simple, light-weight, and effectively against adversarial attacks for speaker
verification. To achieve this goal, we study the audio samples from adversarial
attacks in both the time domain and the Mel spectrogram, and find that the
generated adversarial audio is simply a clean illegal audio with small
perturbations that are similar to white noises, but well-designed to fool
speaker verification. Our intuition is that if these perturbations can be
removed or modified, adversarial attacks can potentially loss the attacking
ability. Therefore, we propose to add a plugin-function module to preprocess
the input audio before it is fed into the verification system. As a first
attempt, we study two opposite plugin functions: denoising that attempts to
remove or reduce perturbations and noise-adding that adds small Gaussian noises
to an input audio. We show through experiments that both methods can
significantly degrade the performance of a state-of-the-art adversarial attack.
Specifically, it is shown that denoising and noise-adding can reduce the
targeted attack success rate of the attack from 100% to only 56% and 5.2%,
respectively. Moreover, noise-adding can slow down the attack 25 times in speed
and has a minor effect on the normal operations of a speaker verification
system. Therefore, we believe that noise-adding can be applied to any speaker
verification system against adversarial attacks. To the best of our knowledge,
this is the first attempt in applying the noise-adding method to defend against
adversarial attacks in speaker verification systems.</p><br>
21
LU, YUN-ZHONG, and 盧允中. "Generating Adversarial Examples by Makeup Attacks on Face Recognition." Thesis, 2018. http://ndltd.ncl.edu.tw/handle/gyz3qw.
Full textAbstract:
碩士<br>國立中正大學<br>資訊工程研究所<br>106<br>Machine Learning has developed rapidly, and has achieve great success in computer vision and natural language processing. Many machine learning technologies are used in human daily life, such as self-driving car and face recognition system. Nowadays, human are really reliance on deep neural networks (DNNs), and if the DNNs has been attacked it will cause terrible results. In order to show the vulnerable of DNNs we propose a method based on Generative Adversarial Networks (GANs) to generate face makeup image that can fooling face recognition system. We hide the perturbation information of attack in the results of the makeup photos that undetectable to human. The experiment results show that we can generate high quality face makeup image and our attack results have high success rate on face recognition system.
22
Lin, Yi-Chen, and 林羿辰. "Adversarial attack against deep learning based self-checkout systems." Thesis, 2019. http://ndltd.ncl.edu.tw/handle/696f5g.
Full textAbstract:
碩士<br>國立臺灣大學<br>電機工程學研究所<br>107<br>In recent years, with the successful development of deep learning, many applications adopting deep learning techniques have been used in our daily lives. In the retail industry, deep learning models have been used for self-checkout, but deep learning models are vulnerable to adversarial attacks. Such applications have security concerns.
This thesis presents a method that can be used to attack such self-checkout systems in practical. The object detection model can be misled by attaching a sticker with a specific pattern to the product. The sticker is generated by an adversarial attack algorithm and is stuck to a specific location which is generated by a differential evolution algorithm.
Two different purposes of the above attack are proposed through this method, one for reducing the precision of the model and the other for converting objects into a specific category. Experimental tests on the models of YOLOv3 and Faster R-CNN can achieve effective attacks and prove that such attacks are transferability. According to our experimental results, the self-checkout system only using deep learning object detection model is not reliable. When encountering a malicious user, it may cause identification errors and cause losses to the store.
23
"Detecting Adversarial Examples by Measuring their Stress Response." Master's thesis, 2019. http://hdl.handle.net/2286/R.I.55594.
Full textAbstract:
abstract: Machine learning (ML) and deep neural networks (DNNs) have achieved great success in a variety of application domains, however, despite significant effort to make these networks robust, they remain vulnerable to adversarial attacks in which input that is perceptually indistinguishable from natural data can be erroneously classified with high prediction confidence. Works on defending against adversarial examples can be broadly classified as correcting or detecting, which aim, respectively at negating the effects of the attack and correctly classifying the input, or detecting and rejecting the input as adversarial. In this work, a new approach for detecting adversarial examples is proposed. The approach takes advantage of the robustness of natural images to noise. As noise is added to a natural image, the prediction probability of its true class drops, but the drop is not sudden or precipitous. The same seems to not hold for adversarial examples. In other word, the stress response profile for natural images seems different from that of adversarial examples, which could be detected by their stress response profile. An evaluation of this approach for detecting adversarial examples is performed on the MNIST, CIFAR-10 and ImageNet datasets. Experimental data shows that this approach is effective at detecting some adversarial examples on small scaled simple content images and with little sacrifice on benign accuracy.<br>Dissertation/Thesis<br>Masters Thesis Computer Science 2019
24
Huang, Chen-Wei, and 黃辰瑋. "Defense mechanism against adversarial attacks using density-based representation of images." Thesis, 2019. http://ndltd.ncl.edu.tw/handle/u239p4.
Full textAbstract:
碩士<br>國立政治大學<br>資訊科學系<br>107<br>Adversarial examples are slightly modified inputs that are devised to cause erroneous inference of deep learning models. Recently, many methods have been proposed to counter the attack of adversarial examples. However, new ways of generating attacks have also surfaced accordingly. Protection against the intervention of adversarial examples is a fundamental issue that needs to be addressed before wide adoption of deep learning based intelligent systems. In this research, we utilize the method known as input recharacterization to effectively remove the perturbations found in the adversarial examples in order to maintain the performance of the original model.
Input recharacterization typically consists of two stages: a forward transform and a backward reconstruction. Our hope is that by going through the lossy two-way transformation, the purposely added 'noise' or 'perturbation' will become ineffective. In this work, we employ digital halftoning and inverse halftoning for input recharacterization, although there exist many possible choices. We apply convolution layer visualization to better understand the network architecture and characteristics. The data set used in this study is Tiny ImageNet, consisting of 260 thousand 128x128 grayscale images belonging to 200 classes.
Most of defense mechanisms rely on gradient masking, input transform and adversarial training. Among these strategies, adversarial training is widely regarded as the most effective. However, it requires adversarial examples to be generated and included in the training set, which is impractical in most applications. The proposed approach is more similar to input transform. We convert the image from intensity-based representation to density-based representation using halftone operation, which hopefully invalidates the attack by changing the image representation. We also investigate whether inverse halftoning can eliminate the adversarial perturbation. The proposed method does not require extra training of adversarial samples. Only low-cost input pre-processing is needed.
On the VGG-16 architecture, the top-5 accuracy for the grayscale model is 76.5%, the top-5 accuracy for halftone model is 80.4%, and the top-5 accuracy for the hybrid model (trained with both grayscale and halftone images) is 85.14%. With adversarial attacks generated using FGSM, I-FGSM, and PGD, the top-5 accuracy of the hybrid model can still maintain 80.97%, 78.77%, 81.56%, respectively. Although the accuracy has been affected, the influence of adversarial examples is significantly discounted. The average improvement over existing input transform defense mechanisms is approximately 10%.
25
"Efficient and Secure Deep Learning Inference System: A Software and Hardware Co-design Perspective." Doctoral diss., 2020. http://hdl.handle.net/2286/R.I.62825.
Full textAbstract:
abstract: The advances of Deep Learning (DL) achieved recently have successfully demonstrated its great potential of surpassing or close to human-level performance across multiple domains. Consequently, there exists a rising demand to deploy state-of-the-art DL algorithms, e.g., Deep Neural Networks (DNN), in real-world applications to release labors from repetitive work. On the one hand, the impressive performance achieved by the DNN normally accompanies with the drawbacks of intensive memory and power usage due to enormous model size and high computation workload, which significantly hampers their deployment on the resource-limited cyber-physical systems or edge devices. Thus, the urgent demand for enhancing the inference efficiency of DNN has also great research interests across various communities. On the other hand, scientists and engineers still have insufficient knowledge about the principles of DNN which makes it mostly be treated as a black-box. Under such circumstance, DNN is like "the sword of Damocles" where its security or fault-tolerance capability is an essential concern which cannot be circumvented.
Motivated by the aforementioned concerns, this dissertation comprehensively investigates the emerging efficiency and security issues of DNNs, from both software and hardware design perspectives. From the efficiency perspective, as the foundation technique for efficient inference of target DNN, the model compression via quantization is elaborated. In order to maximize the inference performance boost, the deployment of quantized DNN on the revolutionary Computing-in-Memory based neural accelerator is presented in a cross-layer (device/circuit/system) fashion. From the security perspective, the well known adversarial attack is investigated spanning from its original input attack form (aka. Adversarial example generation) to its parameter attack variant.<br>Dissertation/Thesis<br>Doctoral Dissertation Electrical Engineering 2020
26
(6636128), Nidhi Nandkishor Sakhala. "Generation of cyber attack data using generative techniques." Thesis, 2019.
Find full textAbstract:
<div><div><div><p>The presence of attacks in day-to-day traffic flow in connected networks is considerably less compared to genuine traffic flow. Yet, the consequences of these attacks are disastrous. It is very important to identify if the network is being attacked and block these attempts to protect the network system. Failure to block these attacks can lead to loss of confidential information and reputation and can also lead to financial loss. One of the strategies to identify these attacks is to use machine learning algorithms that learn to identify attacks by looking at previous examples. But since the number of attacks is small, it is difficult to train these machine learning algorithms. This study aims to use generative techniques to create new attack samples that can be used to train the machine learning based intrusion detection systems to identify more attacks. Two metrics are used to verify that the training has improved and a binary classifier is used to perform a two-sample test for verifying the generated attacks.</p></div></div></div>
27
(9154928), Aritra Mitra. "New Approaches to Distributed State Estimation, Inference and Learning with Extensions to Byzantine-Resilience." Thesis, 2020.
Find full textAbstract:
<div>In this thesis, we focus on the problem of estimating an unknown quantity of interest, when the information required to do so is dispersed over a network of agents. In particular, each agent in the network receives sequential observations generated by the unknown quantity, and the collective goal of the network is to eventually learn this quantity by means of appropriately crafted information diffusion rules. The abstraction described above can be used to model a variety of problems ranging from environmental monitoring of a dynamical process using autonomous robot teams, to statistical inference using a network of processors, to social learning in groups of individuals. The limited information content of each agent, coupled with dynamically changing networks, the possibility of adversarial attacks, and constraints imposed by the communication channels, introduce various unique challenges in addressing such problems. We contribute towards systematically resolving some of these challenges.</div><div><br></div><div>In the first part of this thesis, we focus on tracking the state of a dynamical process, and develop a distributed observer for the most general class of LTI systems, linear measurement models, and time-invariant graphs. To do so, we introduce the notion of a multi-sensor observable decomposition - a generalization of the Kalman observable canonical decomposition for a single sensor. We then consider a scenario where certain agents in the network are compromised based on the classical Byzantine adversary model. For this worst-case adversarial setting, we identify certain fundamental necessary conditions that are a blend of system- and network-theoretic requirements. We then develop an attack-resilient, provably-correct, fully distributed state estimation algorithm. Finally, by drawing connections to the concept of age-of-information for characterizing information freshness, we show how our framework can be extended to handle a broad class of time-varying graphs. Notably, in each of the cases above, our proposed algorithms guarantee exponential convergence at any desired convergence rate.</div><div><br></div><div>In the second part of the thesis, we turn our attention to the problem of distributed hypothesis testing/inference, where each agent receives a stream of stochastic signals generated by an unknown static state that belongs to a finite set of hypotheses. To enable each agent to uniquely identify the true state, we develop a novel distributed learning rule that employs a min-protocol for data-aggregation, as opposed to the large body of existing techniques that rely on "belief-averaging". We establish consistency of our rule under minimal requirements on the observation model and the network structure, and prove that it guarantees exponentially fast convergence to the truth with probability 1. Most importantly, we establish that the learning rate of our algorithm is network-independent, and a strict improvement over all existing approaches. We also develop a simple variant of our learning algorithm that can account for misbehaving agents. As the final contribution of this work, we develop communication-efficient rules for distributed hypothesis testing. Specifically, we draw on ideas from event-triggered control to reduce the number of communication rounds, and employ an adaptive quantization scheme that guarantees exponentially fast learning almost surely, even when just 1 bit is used to encode each hypothesis. </div>
28
(9034049), Miguel Villarreal-Vasquez. "Anomaly Detection and Security Deep Learning Methods Under Adversarial Situation." Thesis, 2020.
Find full textAbstract:
<p>Advances in Artificial Intelligence (AI), or more precisely on Neural Networks (NNs), and fast processing technologies (e.g. Graphic Processing Units or GPUs) in recent years have positioned NNs as one of the main machine learning algorithms used to solved a diversity of problems in both academia and the industry. While they have been proved to be effective in solving many tasks, the lack of security guarantees and understanding of their internal processing disrupts their wide adoption in general and cybersecurity-related applications. In this dissertation, we present the findings of a comprehensive study aimed to enable the absorption of state-of-the-art NN algorithms in the development of enterprise solutions. Specifically, this dissertation focuses on (1) the development of defensive mechanisms to protect NNs against adversarial attacks and (2) application of NN models for anomaly detection in enterprise networks.</p><p>In this state of affairs, this work makes the following contributions. First, we performed a thorough study of the different adversarial attacks against NNs. We concentrate on the attacks referred to as trojan attacks and introduce a novel model hardening method that removes any trojan (i.e. misbehavior) inserted to the NN models at training time. We carefully evaluate our method and establish the correct metrics to test the efficiency of defensive methods against these types of attacks: (1) accuracy with benign data, (2) attack success rate, and (3) accuracy with adversarial data. Prior work evaluates their solutions using the first two metrics only, which do not suffice to guarantee robustness against untargeted attacks. Our method is compared with the state-of-the-art. The obtained results show our method outperforms it. Second, we proposed a novel approach to detect anomalies using LSTM-based models. Our method analyzes at runtime the event sequences generated by the Endpoint Detection and Response (EDR) system of a renowned security company running and efficiently detects uncommon patterns. The new detecting method is compared with the EDR system. The results show that our method achieves a higher detection rate. Finally, we present a Moving Target Defense technique that smartly reacts upon the detection of anomalies so as to also mitigate the detected attacks. The technique efficiently replaces the entire stack of virtual nodes, making ongoing attacks in the system ineffective.</p><p> </p>
29
Alfarra, Motasem. "Applications of Tropical Geometry in Deep Neural Networks." Thesis, 2020. http://hdl.handle.net/10754/662473.
Full textAbstract:
This thesis tackles the problem of understanding deep neural network with piece- wise linear activation functions. We leverage tropical geometry, a relatively new field in algebraic geometry to characterize the decision boundaries of a single hidden layer neural network. This characterization is leveraged to understand, and reformulate three interesting applications related to deep neural network. First, we give a geo- metrical demonstration of the behaviour of the lottery ticket hypothesis. Moreover, we deploy the geometrical characterization of the decision boundaries to reformulate the network pruning problem. This new formulation aims to prune network pa- rameters that are not contributing to the geometrical representation of the decision boundaries. In addition, we propose a dual view of adversarial attack that tackles both designing perturbations to the input image, and the equivalent perturbation to the decision boundaries.
30
(9178400), Sanchari Sen. "Efficient and Robust Deep Learning through Approximate Computing." Thesis, 2020.
Find full textAbstract:
<p>Deep
Neural Networks (DNNs) have greatly advanced the state-of-the-art in a wide range
of machine learning tasks involving image, video, speech and text analytics,
and are deployed in numerous widely-used products and services. Improvements in
the capabilities of hardware platforms such as Graphics Processing Units (GPUs)
and specialized accelerators have been instrumental in enabling these advances
as they have allowed more complex and accurate networks to be trained and
deployed. However, the enormous computational and memory demands of DNNs
continue to increase with growing data size and network complexity, posing a
continuing challenge to computing system designers. For instance,
state-of-the-art image recognition DNNs require hundreds of millions of
parameters and hundreds of billions of multiply-accumulate operations while
state-of-the-art language models require hundreds of billions of parameters and
several trillion operations to process a single input instance. Another major
obstacle in the adoption of DNNs, despite their impressive accuracies on a range
of datasets, has been their lack of robustness. Specifically, recent efforts
have demonstrated that small, carefully-introduced input perturbations can
force a DNN to behave in unexpected and erroneous ways, which can have to
severe consequences in several safety-critical DNN applications like healthcare
and autonomous vehicles. In this dissertation, we explore approximate computing
as an avenue to improve the speed and energy efficiency of DNNs, as well as
their robustness to input perturbations.</p>
<p> </p>
<p>Approximate
computing involves executing selected computations of an application in an
approximate manner, while generating favorable trade-offs between computational
efficiency and output quality. The intrinsic error resilience of machine learning
applications makes them excellent candidates for approximate computing, allowing
us to achieve execution time and energy reductions with minimal effect on the
quality of outputs. This dissertation performs a comprehensive analysis of
different approximate computing techniques for improving the execution efficiency
of DNNs. Complementary to generic approximation techniques like quantization,
it identifies approximation opportunities based on the specific characteristics
of three popular classes of networks - Feed-forward Neural Networks (FFNNs),
Recurrent Neural Networks (RNNs) and Spiking Neural Networks (SNNs), which vary
considerably in their network structure and computational patterns.</p>
<p> </p>
<p>First, in
the context of feed-forward neural networks, we identify sparsity, or the presence
of zero values in the data structures (activations, weights, gradients and errors),
to be a major source of redundancy and therefore, an easy target for
approximations. We develop lightweight micro-architectural and instruction set
extensions to a general-purpose processor core that enable it to dynamically
detect zero values when they are loaded and skip future instructions that are
rendered redundant by them. Next, we explore LSTMs (the most widely used class
of RNNs), which map sequences from an input space to an output space. We
propose hardware-agnostic approximations that dynamically skip redundant
symbols in the input sequence and discard redundant elements in the state
vector to achieve execution time benefits. Following that, we consider SNNs,
which are an emerging class of neural networks that represent and process
information in the form of sequences of binary spikes. Observing that spike-triggered
updates along synaptic connections are the dominant operation in SNNs, we
propose hardware and software techniques to identify connections that can be
minimally impact the output quality and deactivate them dynamically, skipping any
associated updates.</p>
<p> </p>
<p>The
dissertation also delves into the efficacy of combining multiple approximate computing
techniques to improve the execution efficiency of DNNs. In particular, we focus
on the combination of quantization, which reduces the precision of DNN data-structures,
and pruning, which introduces sparsity in them. We observe that the ability of
pruning to reduce the memory demands of quantized DNNs decreases with precision
as the overhead of storing non-zero locations alongside the values starts to
dominate in different sparse encoding schemes. We analyze this overhead and the
overall compression of three different sparse formats across a range of
sparsity and precision values and propose a hybrid compression scheme that
identifies that optimal sparse format for a pruned low-precision DNN.</p>
<p> </p>
<p>Along with
improved execution efficiency of DNNs, the dissertation explores an additional
advantage of approximate computing in the form of improved robustness. We
propose ensembles of quantized DNN models with different numerical precisions as
a new approach to increase robustness against adversarial attacks. It is based on
the observation that quantized neural networks often demonstrate much higher robustness
to adversarial attacks than full precision networks, but at the cost of a substantial
loss in accuracy on the original (unperturbed) inputs. We overcome this limitation
to achieve the best of both worlds, i.e., the higher unperturbed accuracies of
the full precision models combined with the higher robustness of the low
precision models, by composing them in an ensemble.</p>
<p> </p>
<p><br></p><p>In
summary, this dissertation establishes approximate computing as a promising direction
to improve the performance, energy efficiency and robustness of neural networks.</p>
31
(10711971), Alex M. Sherman. "Dynamic Chemical Imaging And Analysis Within Biologically Active Materials." Thesis, 2021.
Find full textAbstract:
A thorough understanding of pharmaceutical and therapeutic products and materials is important for an improved quality of life. By probing the complex behaviors and properties of these systems, new insights can allow for a better understanding of current treatments, improved design and synthesis of new drug products, and the development of new treatments for various health conditions. Often, the impact of these new insights are limited by current technology and instrumentation and by the methods in which existing data is processed. Additionally, current standards for characterization of pharmaceuticals and therapeutics are time-consuming and can delay the timeline in which these products become available to the consumer. By addressing the limitations in current instrumentation and data science methods, faster and improved characterization is possible.<div><br></div><div>Development and improvement in optical instrumentation provides potential solutions to the current limitations of characterization methods by conventional instrumentation. Limitations in speed can be addressed through the use of nonlinear optical (NLO) methods, such as second harmonic generation (SHG) and two-photon excited ultraviolet fluorescence (TPE-UVF) microscopy, or by linear methods such as fluorescence recovery after photobleaching (FRAP). For these methods, a high signal-to-noise ratio (SNR) and a nondestructive nature decrease the overall sample size requirements and collections times of these methods. Furthermore, by combination of these optical techniques with other techniques, such as thermal analysis (e.g. differential scanning calorimetry (DSC)), polarization modulation, or patterned illumination, the collection of more complex and higher quality data is possible while retaining the improved speed of these methods. Thus, this modified instrumentation can allow for improved characterization of properties such as stability, structure, and mobility of pharmaceutical and therapeutic products.<br></div><div><br></div><div>With an increase in data quantity and complexity, improvements to existing methods of analysis, as well as development of new data science methods, is essential. Machine learning (ML) architectures and empirically validated models for the analysis of existing data can provide improved quantification. Using the aforementioned optical instrumentation, auto-calibration of data acquired by SHG microscopy is one such method in which quantification of sample crystallinity is enabled by these ML and empirical models. Additionally, ML approaches utilizing generative adversarial networks (GANs) are able to improve on identification of data tampering in order to retain data security. By use of GANs to tamper with experimentally collected and/or simulated data used in existing spectral classifiers, knowledge of adversarial methods and weakness in spectral classification can be ascertained. Likewise, perturbations in physical illumination can be used to ascertain information on classification of real objects by use of GANs. Use of this knowledge can then be used to prevent further data tampering or by improving identification of data tampering.<br></div>
32
(11173365), Youlin Liu. "MACHINE LEARNING METHODS FOR SPECTRAL ANALYSIS." Thesis, 2021.
Find full textAbstract:
Measurement science has seen fast growth of data in both volume and complexity in recent years, new algorithms and methodologies have been developed to aid the decision<br>making in measurement sciences, and this process is automated for the liberation of labor. In light of the adversarial approaches shown in digital image processing, Chapter 2 demonstrate how the same attack is possible with spectroscopic data. Chapter 3 takes the question presented in Chapter 2 and optimized the classifier through an iterative approach. The optimized LDA was cross-validated and compared with other standard chemometrics methods, the application was extended to bi-distribution mineral Raman data. Chapter 4 focused on a novel Artificial Neural Network structure design with diffusion measurements; the architecture was tested both with simulated dataset and experimental dataset. Chapter 5 presents the construction of a novel infrared hyperspectral microscope for complex chemical compound classification, with detailed discussion in the segmentation of the images and choice of a classifier to choose.<br>