IMAGE CLASSIFIER RESILIENT TO ADVERSARIAL ATTACKS, FAULT INJECTIONS AND CONCEPT DRIFT – MODEL ARCHITECTURE AND TRAINING ALGORITHM
DOI:
https://doi.org/10.15588/1607-3274-2022-3-9Keywords:
image classification, robustness, resilience, graceful degradation, adversarial attacks, faults injection, concept drift.Abstract
Context. The problem of image classification algorithms vulnerability to destructive perturbations has not yet been definitively resolved and is quite relevant for safety-critical applications. Therefore, object of research is the process of training and inference for image classifier that functioning under influences of destructive perturbations. The subjects of the research are model architecture and training algorithm of image classifier that provide resilience to adversarial attacks, fault injection attacks and concept drift.
Objective. Stated research goal is to develop effective model architecture and training algorithm that provide resilience to adversarial attacks, fault injections and concept drift.
Method. New training algorithm which combines self-knowledge distillation, information measure maximization, class distribution compactness and interclass gap maximization, data compression based on discretization of feature representation and semi-supervised learning based on consistency regularization is proposed.
Results. The model architecture and training algorithm of image classifier were developed. The obtained classifier was tested on the Cifar10 dataset to evaluate its resilience over an interval of 200 mini-batches with a training and test size of mini-batch equals to 128 examples for such perturbations: adversarial black-box L∞-attacks with perturbation levels equal to 1, 3, 5 and 10; inversion of one randomly selected bit in a tensor for 10%, 30%, 50% and 60% randomly selected tensors; addition of one new class; real concept drift between a pair of classes. The effect of the feature space dimensionality on the value of the information criterion of the model performance without perturbations and the value of the integral metric of resilience during the exposure to perturbations is considered.
Conclusions. The proposed model architecture and learning algorithm provide absorption of part of the disturbing influence, graceful degradation due to hierarchical classes and adaptive computation, and fast adaptation on a limited amount of labeled data. It is shown that adaptive computation saves up to 40% of resources due to early decision-making in the lower sections of the model, but perturbing influence leads to slowing down, which can be considered as graceful degradation. A multi-section structure trained using knowledge self-distillation principles has been shown to provide more than 5% improvement in the value of the integral mectric of resilience compared to an architecture where the decision is made on the last layer of the model. It is observed that the dimensionality of the feature space noticeably affects the resilience to adversarial attacks and can be chosen as a tradeoff between resilience to perturbations and efficiency without perturbations.
References
Eigner O., Eresheim S., Kieseberg P., Klausner L., Pirker M., Priebe T., Tjoa S., Marulli F., Mercaldo F. Towards Resilient Artificial Intelligence: Survey and Research Issues, 2021 IEEE International Conference on Cyber Security and Resilience (CSR), Virtual conference, 26–28 July, 2021, pp. 536–542. DOI: 10.1109/CSR51186.2021.9527986.
Olowononi F. O., Rawat D. B., Liu C. Resilient Machine Learning for Networked Cyber Physical Systems: A Survey for Machine Learning Security to Securing Machine Learning for CPS, IEEE Communications Surveys Tutorials, 2021, Vol. 23, No. 1, pp. 524–552. DOI: 10.1109/COMST.2020.3036778.
Dymond J. Graceful Degradation and Related Fields, A review for Applied Research Centre at the Alan Turing Institute, 2021, pp. 1–32. DOI: 10.48550/arXiv.2106.11119.
Hospedales T., Antoniou A., Micaelli P., Storkey A. MetaLearning in Neural Networks: A Survey, IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021, 20 p. DOI: 10.1109/TPAMI.2021.3079209.
Parisi G., Kemker R., Part J., Kanan C. , Wermter S. Continual lifelong learning with neural networks: A review, Neural Networks, 2019, No. 113, P. 54–71. DOI: 10.1016/j.neunet.2019.01.012
Fraccascia L., Giannoccaro I., Albino V. Resilience of Complex Systems: State of the Art and Directions for Future Research, Complexity, 2018, pp. 1–44. DOI: 10.1155/2018/3421529.
Madni A. Affordable Resilience, Transdisciplinary Systems Engineering, 2017, pp. 133–159. DOI: 10.1007/978-3-31962184-5_9.
Zhang L., Bao C., Ma K. Self-Distillation: Towards Efficient and Compact Neural Networks, IEEE Transactions on Pattern Analysis and Machine Intelligence, 2021, Vol. 44 (8), pp. 4388–4403. DOI: 10.1109/TPAMI.2021.3067100.
Marquez E., Hare J., Niranjan M. Deep Cascade Learning, IEEE Transactions on Neural Networks and Learning Systems, 2018, Vol. 29(11), pp. 5475–5485. DOI : 10.1109/TNNLS.2018.2805098.
Makarichev V., Lukin V., Illiashenko O., Kharchenko V. Digital Image Representation by Atomic Functions: The Compression and Protection of Data for Edge Computing in IoT Systems, Sensors, 2022, Vol. 22(10), P. 3751. DOI : 10.3390/s22103751.
Smith L. N. A useful taxonomy for adversarial robustness of Neural Networks, Trends in Computer Science and Information Technology, 2020, pp. 037–041. DOI: 10.48550/arXiv.1910.10679.
Song Y.. Kim T., Nowozin S., Ermon S., Kushman N. PixelDefend: Leveraging Generative Models to Understand and Defend against Advers arial Examples, Sixth International Conference on Learning Representations, Vancouver CANADA, 30 Apr. –3 May, 2018, 20 p. DOI: 10.48550/arXiv.1710.10766.
Samangouei P., Kabkab M., Chellappa R. Defense-GAN: Protecting Classifiers Against Adversarial Attacks Using Generative Models, Sixth International Conference on Learning Representations (ICLR 2018), Vancouver CANADA, 30 Apr – 3 May, 2018, 17 p. DOI: 10.48550/arXiv.1805.06605.
Athalye A., Carlini N., Wagner D., Obfuscated Gradients Give a False Sense of Security: Circumventing Defenses to Adversarial Examples. [online] arXiv.org, 2022. Access mode: https://arxiv.org/abs/1802.00420 [Accessed 1 June 2022]. DOI: 10.48550/arXiv.1802.00420.
Xu J., Li Z., Du B., Zhang M., Liu J. Reluplex made more practical: Leaky ReLU [Text], IEEE Symposium on Computers and Communications (ISCC), Rennes, France, July 7–July 10 2020, IEEE, 2022, 7 p. DOI: 10.1109/ISCC50000.2020. 9219587.
Carlini N., Wagner D. Adversarial Examples Are Not Easily Detected: Bypassing Ten Detection Methods, Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, Dallas Texas USA, 3 Nov. 2017. NY, United States, 2017, pp. 3–14. DOI: 10.1145/3128572.3140444.
Silva S., Najafirad P. Opportunities and Challenges in Deep Learning Adversarial Robustness: A Survey, IEEE Transactions on Knowledge and Data Engineering, 2020, 20 p. DOI: 10.48550/arXiv.2007.00753.
Huang K., Siegel P. H., Jiang A. Functional Error Correction for Robust Neural Networks, IEEE Journal on Selected Areas in Information Theory, 2020, 24 p. DOI: 10.48550/arXiv.2001.03814.
Hacene G. B., Leduc-Primeau F., Soussia A. B., Gripon V., Gagnon F. Training modern deep neural networks for memory-fault robustness, IEEE International Symposium on Circuits and Systems (ISCAS 2019), Sapporo, Hokkaido. Japan, 26–29 May 2019, 5 p. DOI: 10.1109/ISCAS.2019.8702382.
Li W., Ning X., Ge G., Chen X., Wang Y. , Yang H. FTTNAS: Discovering Fault-Tolerant Neural Architecture, Proceeding of 25th Asia and South Pacific Design Automation Conference (ASP-DAC). Beijing, China, 13–16 Jan. 2020, IEEE Press, pp. 211–216. DOI: 10.1109/ASPDAC47756.2020.9045324.
Valtchev S., Wu J. Domain randomization for neural network classification, Journal of Big Data, 2021, Vol. 8, Article No. 94, 12 p. DOI: 10.1186/s40537-021-00455-5.
Qiao F., Zhao L., Peng X. Learning to Learn Single Domain Generalization, Computer Vision and Pattern Recognition, 2020, pp. 1–13. DOI : 10.48550/arXiv.2003.13216.
Priya S., Uthra R. Deep learning framework for handling concept drift and class imbalanced complex decisionmaking on streaming data, Complex & Intelligent Systems, 2021, 17 p. DOI: 10.1007/s40747-021-00456-0.
Jiang H., Kim B., Guan M. Y., Gupta M. R. To Trust Or Not To Trust A Classifier, Proceedings of the 32nd International Conference on Neural Information Processing Systems, 2018, pp. 5546–5557. DOI: 10.48550/arXiv.1805.11783.
Shu Y., Shi Y. , Wang Y. , Huang T., Tian Y. P-ODN: Prototype-based Open Deep Network for Open Set Recognition, Scientific Reports, 2020, No. 10, Article No. 7146. DOI: 10.1038/s41598-020-63649-6.
Wang С., Zhao P., Wang S., Lin X. Detection and recovery against deep neural network fault injection attacks based on contrastive learning, 3rd Workshop on Adversarial Learning Methods for Machine Learning and Data Mining at KDD, Virtual Event, USA ,14 Aug 2021, 5 p.
Achddou R., Di Martino J., Sapiro G. Nested Learning for Multi-Level Classification, IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). Toronto, Canada, 6–11 June 2021, pp. 2815–2819. DOI: 10.1109/ICASSP39728.2021.9415076.
Margatina K., Vernikos G., Barrault L., Aletras N. Active Learning by Acquiring Contrastive Examples, Conference on Empirical Methods in Natural Language Processing, Online and Punta Cana, Dominican Republic, Nov. 2021, pp. 650–663. DOI: 10.48550/arXiv.2109.03764.
Park J., Yun S., Jeong J., Shin J. OpenCoS: Contrastive Semi-supervised Learning for Handling Open-set Unlabeled Data, International Conference on Learning Representations ICLR Virtual, 3–7 May 2022, 14 p. DOI: 10.48550/arXiv.2107.08943.
Konkle T., Alvarez G. A self-supervised domain-general learning framework for human ventral stream representation, Nature Communications, 2022, Vol. 13, Article No. 491, 12 p. DOI: 10.1038/s41467-022-28091-4.
Moskalenko V., Zaretskyi M., Moskalenko A., Korobov A., Kovalsky Y. Multi-stage deep learning method with selfsupervised pretraining for sewer pipe defects classification, Radioelectronic and computer systems, 2021, No. 4, pp. 71– 81. DOI: 10.32620/reks.2021.4.06.
Li G., Pattabiraman K., DeBardeleben N. TensorFI: A Configurable Fault Injector for TensorFlow Applications, 2018 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW). Memphis, TN, USA, 15–18 Oct. 2018, pp. 313–320. DOI: 10.1109/ISSREW.2018.00024.
Kotyan S., Vargas D. Adversarial robustness assessment: Why in evaluation both L0 and L∞ attacks are necessary [Text], PLOS ONE, 2022, No. 17(4), Article No. e0265723, 22 p. DOI: 10.1371/journal.pone.0265723.
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2022 V. V. Moskalenko, A. S. Moskalenko, A. G. Korobov, M. O. Zaretsky
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
Creative Commons Licensing Notifications in the Copyright Notices
The journal allows the authors to hold the copyright without restrictions and to retain publishing rights without restrictions.
The journal allows readers to read, download, copy, distribute, print, search, or link to the full texts of its articles.
The journal allows to reuse and remixing of its content, in accordance with a Creative Commons license СС BY -SA.
Authors who publish with this journal agree to the following terms:
-
Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License CC BY-SA that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
-
Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
-
Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.
