Robust Physical-World Attacks on Deep Learning Models

Eykholt, Kevin; Evtimov, Ivan; Fernandes, Earlence; Li, Bo; Rahmati, Amir; Xiao, Chaowei; Prakash, Atul; Kohno, Tadayoshi; Song, Dawn

doi:10.48550/arxiv.1707.08945

Cited by 65 publications

(92 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…However, these methods often produce models that are not easily interpretable, as the relationship between the input and output data is convoluted. Furthermore, deep learning models are often brittle, i.e., small changes in input data can lead to dramatic differences in their predictions 12,13 . Interpretability helps confirm the model is behaving reasonably and, in some situations, can even elucidate the underlying physics of the task at hand.…”

Section: Graphical Abstractmentioning

confidence: 99%

Statistical Learning for Accurate and Interpretable Battery Lifetime Prediction

Attia

Severson²,

Witmer³

2021

J. Electrochem. Soc.

View full text Add to dashboard Cite

Data-driven methods for battery lifetime prediction are attracting increasing attention for applications in which the degradation mechanisms are poorly understood and suitable training sets are available. However, while advanced machine learning and deep learning methods promise high performance with minimal data preprocessing, simpler linear models with engineered features often achieve comparable performance, especially for small training sets, while also providing physical and statistical interpretability. In this work, we use a previously published dataset to develop simple, accurate, and interpretable data-driven models for battery lifetime prediction. We first present the “capacity matrix” concept as a compact representation of battery electrochemical cycling data, along with a series of feature representations. We then create a number of univariate and multivariate models, many of which achieve comparable performance to the highest-performing models previously published for this dataset; thus, our work can serve as a comprehensive benchmarking study for this dataset. These models also provide insights into the degradation of these cells. Our approaches can be used both to quickly train models for a new battery cycling dataset and to benchmark the performance of more advanced machine learning methods.

show abstract

Section: Graphical Abstractmentioning

confidence: 99%

Statistical Learning for Accurate and Interpretable Battery Lifetime Prediction

Attia

Severson²,

Witmer³

2021

J. Electrochem. Soc.

View full text Add to dashboard Cite

show abstract

“…In a black-box attack scenario, hackers can create adversarial examples without knowledge of a target model's parameters by using another network to generate transferable attacks [25]. Furthermore, physical-world adversarial attacks have also fooled classification networks, including printed adversarial examples recaptured with a cell phone camera [3] and stop signs modified with tape perturbations mimicking graffiti [18]. These examples demonstrate the high-risk nature of adversarial examples, as well as the need to implement defenses against such attacks.…”

Section: Introductionmentioning

confidence: 99%

Noise Sensitivity-Based Energy Efficient and Robust Adversary Detection in Neural Networks

Sterneck,

Moitra,

Panda

2021

Preprint

View full text Add to dashboard Cite

Neural networks have achieved remarkable performance in computer vision, however they are vulnerable to adversarial examples. Adversarial examples are inputs that have been carefully perturbed to fool classifier networks, while appearing unchanged to humans. Based on prior works on detecting adversaries, we propose a structured methodology of augmenting a deep neural network (DNN) with a detector subnetwork. We use Adversarial Noise Sensitivity (ANS), a novel metric for measuring the adversarial gradient contribution of different intermediate layers of a network. Based on the ANS value, we append a detector to the most sensitive layer. In prior works, more complex detectors were added to a DNN, increasing the inference computational cost of the model. In contrast, our structured and strategic addition of a detector to a DNN reduces the complexity of the model while making the overall network adversarially resilient. Through comprehensive white-box and black-box experiments on MNIST, CIFAR-10, and CIFAR-100, we show that our method improves state-of-the-art detector robustness against adversarial examples. Furthermore, we validate the energy efficiency of our proposed adversarial detection methodology through an extensive energy analysis on various hardware scalable CMOS accelerator platforms. We also demonstrate the effects of quantization on our detector-appended networks.

show abstract

“…Many lack the ability to "explain their autonomous decisions to human users" [37] and some researchers have even suggested that there is an inverse relationship between system prediction quality and explainability [37]. Cyber-attackers have leveraged these weaknesses and neural networks' lack of context knowledge to develop adversarial neural network attacks [38] against systems providing services such as voice [39] and facial recognition [40], among others. Neural network algorithms are among those identified by Doyle [41] as "weapons of math destruction" and by Noble [42] as "algorithms of oppression".…”

Section: Neural Network and Their Explainability Issuesmentioning

confidence: 99%

Assessment of Gradient Descent Trained Rule-Fact Network Expert System Multi-Path Training Technique Performance

Straub

2021

Computers

View full text Add to dashboard Cite

The use of gradient descent training to optimize the performance of a rule-fact network expert system via updating the network’s rule weightings was previously demonstrated. Along with this, four training techniques were proposed: two used a single path for optimization and two use multiple paths. The performance of the single path techniques was previously evaluated under a variety of experimental conditions. The multiple path techniques, when compared, outperformed the single path ones; however, these techniques were not evaluated with different network types, training velocities or training levels. This paper considers the multi-path techniques under a similar variety of experimental conditions to the prior assessment of the single-path techniques and demonstrates their effectiveness under multiple operating conditions.

show abstract

Robust Physical-World Attacks on Deep Learning Models

Cited by 65 publications

References 0 publications

Statistical Learning for Accurate and Interpretable Battery Lifetime Prediction

Statistical Learning for Accurate and Interpretable Battery Lifetime Prediction

Noise Sensitivity-Based Energy Efficient and Robust Adversary Detection in Neural Networks

Assessment of Gradient Descent Trained Rule-Fact Network Expert System Multi-Path Training Technique Performance

Contact Info

Product

Resources

About