Locally optimal detection and randomization defenses against universal adversarial perturbations
Goel, Amish
This item is only available for download by members of the University of Illinois community. Students, faculty, and staff at the U of I may log in with your NetID and password to view the item. If you are trying to access an Illinois-restricted dissertation or thesis, you can request a copy through your library's Inter-Library Loan office or purchase a copy directly from ProQuest.
Permalink
https://hdl.handle.net/2142/117625
Description
Title
Locally optimal detection and randomization defenses against universal adversarial perturbations
Author(s)
Goel, Amish
Issue Date
2022-08-25
Director of Research (if dissertation) or Advisor (if thesis)
Moulin, Pierre
Doctoral Committee Chair(s)
Moulin, Pierre
Committee Member(s)
Schwing, Alexander
Li, Bo
Raginsky, Maxim
Veeravalli, Venugopal V.
Department of Study
Electrical & Computer Eng
Discipline
Electrical & Computer Engr
Degree Granting Institution
University of Illinois at Urbana-Champaign
Degree Name
Ph.D.
Degree Level
Dissertation
Keyword(s)
universal adversarial perturbations, deep learning, hypothesis testing, locally optimal test, generalized likelihood ratio test
Abstract
This thesis investigates a detection-based approach to safeguard a machine-learning based classifier from adversarial perturbations of its input. In particular, we consider input agnostic universal adversarial perturbations which are selected to force the input to a desired target class. The detector is designed by application of fundamental concepts of statistical decision theory, including locally optimal testing. Since locally optimal detectors depend on the input distribution, which is unknown in real-world datasets, a tractable surrogate input distribution is used instead. The thesis also defines several metrics for joint classification and detection, and evaluates them on several image datasets and popular image classifiers. We demonstrate through the experimental results that our detection-based approach is successful and outperforms the prior state of the art. We also show that detector-aware universal adversarial perturbations can be constructed in a way that evades our detector and achieves high target success rate on the classifier. To mitigate this problem, we propose and evaluate several relevant randomization schemes. Among the proposed methods, we observe that randomized smoothing offers better defense against the stronger detector-aware attacks.
Use this login method if you
don't
have an
@illinois.edu
email address.
(Oops, I do have one)
IDEALS migrated to a new platform on June 23, 2022. If you created
your account prior to this date, you will have to reset your password
using the forgot-password link below.
