Research in Adversarial Learning

I am doing a research project in the field of adversarial learning as a 3 credit research course. What is adversarial learning? It is the use of malicious, slightly modified examples to fool deep learning algorithms. Examples are shown below.

The goal of this project is to develop a completely new system for adversarial attacks on images based off two previously developed methods. The neural networks that will be attacked are pre-defined in Keras.

The first method, developed by researchers at Imperial College London, uses a method known as Bayesian Optimization to get the best results from procedural noise. Procedural noise, like the Perlin Noise shown below, is noise with a specific pattern. Three different parameters of this noise can be optimized to get the best adversarial result. The advantage of this system is that it requires very few queries, but results obtained from this are noticeably different from the original images.

The second method is called the HopSkipJumpAttack. This method uses a binary search to reach the "boundary" (where the classifier will assign a different value), then goes in the opposite direction of the gradient. This process is repeated until a minimum can be found. The progression is geometric, so it gradually slows down.

HSJA, on the other hand, requires a much higher amount of queries than the first method and is time-consuming. On the other hand, it is very effective at minimizing differences between the two

Both of these methods have been implemented and tested on a deep learning desktop. Now, the time for combining them has begun. Due to limitations coming from the COVID-19 crisis (power was out for several weeks) and the fact that my PhD student had to use the desktop for some time may impact my ability to finish it by the end of this semester. Regardless, I will finish it over the summer.