Machine learning is a key aspect of Artificial Intelligence. However, one area that has always been an issue to worry about is adversarial attacks. It is because of this that the models trained to work in a particular way fail to do so and act in undesired ways.
Computer vision is one of those areas that has grabbed eyeballs from everywhere around. This is the area where the AI systems deployed aid in processing the visual data. What attackers do here is add a layer of noise to the images. This further makes matters worse as adding noise leads in misclassification. A defence method against such an adversarial attack is “randomized smoothing.” This is a method wherein the machine learning systems become resilient against imperceptible perturbations.
However, it has been observed that despite randomized smoothing, machine learning systems could fail. Here are some aspects of Adversarial machine learning.
This makes into the list of the most common techniques to target the data that forms the base of training the models. Data poisoning is where corrupt data is inserted into the dataset. Doing so, training the machine learning model is compromised. In some cases, such techniques are seen to trigger a specific undesirable behaviour in a computer vision system whereas in some it has been observed that the accuracy of a machine learning model is reduced drastically. What is an area of concern here is that it becomes virtually impossible to detect all these attacks because their modifications are not visible to the human eye.
It has been established that minimizing the empirical error wouldn’t be that effective as the models are still vulnerable to adversarial attacks. Random smoothing is a technique that serves to be useful here. The technique works by cancelling out the effects of data poisoning by establishing an average certified radius (ACR) during the training of a machine learning model. Now here is the catch – when a trained computer vision model classifies an image correctly, then adversarial perturbations within the certified radius will not affect its accuracy. However, larger the ACR, it becomes a little difficult to make the adversarial noise visible to the human eye.
Poisoning Against Certified Defenses and bilevel optimization
This is yet another research paper wherein the researchers came up with a new data poisoning method called Poisoning Against Certified Defenses (PACD). This method employs bi-level optimization, a technique that has two major objectives to serve: one, to create poisoned data for models that have undergone robustness training, and the other to pass the certification procedure. This process takes a set of clean training examples and gradually adds noise to them until they reach a level that can circumvent the target training technique. When the target model is trained on the tainted dataset, its ACR is reduced drastically. Using PACD, the researchers have been successful in producing clean adversarial examples. Simply put, the perturbations are not visible to the human eye.
Transfer learning on adversarial attacks
The researchers wanted to check whether a poisoned dataset targeted at one adversarial training technique would prove to be effective against others. On that note, it was found that PACD transfers across different training techniques.
Adversarial attacks are presenting new challenges for the cybersecurity community. Hence, the coming years would see a lot of challenges in this area. Though PACD is effective, sound knowledge of the target machine learning model before formulating the poisoned data is the need of the hour. Yet another area of concern is the cost of producing the poisoned dataset. If all of this is taken into account, the future can see promising results for sure.
More info about author
Credit: Google News