Certified robustness of modern machine learning methods

Huang, Zijian

Permalink

https://hdl.handle.net/2142/120561 Copy

Description

Title

Certified robustness of modern machine learning methods

Author(s)

Huang, Zijian

Issue Date

2023-04-27

Director of Research (if dissertation) or Advisor (if thesis)

Li, Bo

Department of Study

Computer Science

Discipline

Computer Science

Degree Granting Institution

University of Illinois at Urbana-Champaign

Degree Name

M.S.

Degree Level

Thesis

Keyword(s)

• Adversarial Machine Learning
• Reinforcement Learning
• Object Detection
• Certified Robustness

Abstract

As Neural Network based Machine Learning (ML) has achieved great success and been even adopted in safety-critical domains such as autonomous vehicles, a range of empirical studies have been conducted to improve its robustness against adversarial attacks. However, how to certify its robustness with theoretical guarantees still remains challenging. In this paper, we study two different attacks, from traditional machine learning tasks to reinforcement learning (RL) and from digital attacks to real world attacks. For the study of certified of robustness of reinforcement learning methods, we present the first unified framework CROP (Certifying Robust Policies for RL) to provide robustness certification on both action and reward levels where we propose two robustness certification criteria: robustness of per-state actions and lower bound of cumulative rewards. We then develop a local smoothing algorithm for policies derived from Q-functions to guarantee the robustness of actions taken along the trajectory; we also develop a global smoothing algorithm for certifying the lower bound of a finite-horizon cumulative reward, as well as a novel local smoothing algorithm to perform adaptive search in order to obtain tighter reward certification. Empirically, we apply CROP to evaluate several existing empirically robust RL algorithms, including adversarial training and different robust regularization, in four environments (two representative Atari games, Highway, and CartPole). Furthermore, by evaluating these algorithms against adversarial attacks, we demonstrate that our certifications are often tight. To extend and test our methods in real world applications, we choose Multi-sensor fusion systems against physical transformations as our benchmark. Multi-sensor fusion systems (MSF) are widely deployed in modern autonomous vehicles (AVs) as the perception module. Hence, their robustness to common and adversarial semantic transformations (such as vehicle rotation and shifting) in the physical world is critical to the safety of AVs. Prior work shows that multi-sensor fusion systems, though more robust than single-modal models, are still vulnerable to adversarial semantic transformations. Even some empirical defenses have been proposed, they can be adaptively attacked again. So far, no certified defenses have been studied yet for MSF. In this work, we propose the first robustness certification framework COMMIT to certify robustness of multi-sensor fusion systems against semantic attacks. We propose a practical anisotropic noise mechanism to leverage randomized smoothing given multi-modal data, a grid-based splitting method to characterize complex semantic transformations, and efficient algorithms to compute the certification for object detection and IoU lower bounds for large-scale MSF models. We provide a benchmark of certified robustness for different MSF models using COMMIT based on CARLA. We show that the certification for MSF models is at least 48.39% higher than single-modal models, which confirms the advantages of MSF models. In conclusion, we will show the effectiveness of our methods to certify the robustness of machine learning models against different types of adversarial attacks and the big gap of applying Neural Network based ML models in the real world.

Graduation Semester

2023-05

Type of Resource

Thesis

Copyright and License Information

Copyright 2023 Zijian Huang

Owning Collections