Invited Talks for AdvML'20

The Mysteries of Adversarial Robustness for Non-parametric Methods

Abstract: Adversarial examples are small imperceptible perturbations to legitimate test inputs that cause machine learning classifiers to misclassify. While recent work has proposed many attacks and defenses, why exactly they arise still remains a mystery. In this talk, we'll take a closer look at this question.

We will look at non-parametric methods, and define a large sample limit for adversarially robust classification that is analogous to the Bayes optimal. We will show then that adversarial robustness in non-parametric methods is mostly a consequence of the training method. If time permits, we will then look at what these findings mean for neural networks.

Artificial Adversarial Intelligence

Abstract: With my MIT CSAIL research group, I explore Artificial Adversarial Intelligence, studying natural and computational ecosystems characterized by intelligent, adaptive adversaries. We use machine learning to model adversarial adaptation and our methods span bio-inspired to statistical algorithms. We have found coevolutionary algorithms to be well-suited to study cyber-network attack-defense arms races and cyber-hunting. We are intrigued by the GAN paradigm and how its training induces adversarial dynamics. We consider adversarial example attacks for binary, code and continuous spaces, in both white box and black box threat models.


Understanding, Improving and Evaluating Adversarial Robustness in Deep Learning

<Slides>

Abstract: Deep Neural Networks (DNNs) have made many breakthroughs in different areas of artificial intelligence. However, it is well-known that DNNs are vulnerable to adversarial examples. This raises some serious concerns regarding the robustness of DNNs and leads to an increasing need for robust DNN models. In this talk, I will focus on understanding, improving, and evaluating the adversarial robustness in deep learning. First, I will discuss the role of “misclassified examples” playing in the adversarial training and show that misclassified examples have a significant impact on the final robustness. I will then introduce a misclassification aware adversarial training algorithm that can result in more robust DNN models. Second, I will present a new hard-label attack-based model robustness evaluation method, which is completely gradient-free. Our evaluation method is able to identify “falsely robust” models that may deceive the traditional white-box/black-box attacks and give a false sense of robustness. If time allows, I will briefly discuss how does network architecture (i.e., network width) affects adversarial robustness and provide guidance on how to fully unleash the power of wide model architectures.