Many modern machine learning classifiers are shown to be vulnerable to adversarial perturbations of the instances. Despite a massive amount of work focusing on making classifiers robust, the task seems quite challenging. In this work, through a theoretical study, we investigate the adversarial risk and robustness of classifiers and draw a connection to the well-known phenomenon of "concentration of measure" in metric measure spaces. We show that if the metric probability space of the test instance is concentrated, any classifier with some initial constant error is inherently vulnerable to adversarial perturbations.One class of concentrated metric probability spaces are the so-called Lévy families that include many natural distributions. In this special case, our attacks only need to perturb the test instance by at most O( √ n) to make it misclassified, where n is the data dimension. Using our general result about Lévy instance spaces, we first recover as special case some of the previously proved results about the existence of adversarial examples. However, many more Lévy families are known (e.g., product distribution under the Hamming distance) for which we immediately obtain new attacks that find adversarial examples of distance O( √ n).Finally, we show that concentration of measure for product spaces implies the existence of forms of "poisoning" attacks in which the adversary tampers with the training data with the goal of degrading the classifier. In particular, we show that for any learning algorithm that uses m training examples, there is an adversary who can increase the probability of any "bad property" (e.g., failing on a particular test instance) that initially happens with 1/poly(m) probability to ≈ 1 by substituting only O( √ m) of the examples with other (still correctly labeled) examples.* This is the full version of a work appearing in AAAI 2019.
This paper is concerned with exact real solving of well-constrained, bivariate polynomial systems. The main problem is to isolate all common real roots in rational rectangles, and to determine their intersection multiplicities. We present three algorithms and analyze their asymptotic bit complexity, obtaining a bound of OB(N 14 ) for the purely projection-based method, and OB(N 12 ) for two subresultant-based methods: this notation ignores polylogarithmic factors, where N bounds the degree and the bitsize of the polynomials. The previous record bound was OB(N 14 ).Our main tool is signed subresultant sequences. We exploit recent advances on the complexity of univariate root isolation, and extend them to sign evaluation of bivariate polynomials over two algebraic numbers, and real root counting for polynomials over an extension field. Our algorithms apply to the problem of simultaneous inequalities; they also compute the topology of real plane algebraic curves in OB(N 12 ), whereas the previous bound was OB(N 14 ).All algorithms have been implemented in maple, in conjunction with numeric filtering. We compare them against fgb/rs, system solvers from synaps, and maple libraries insulate and top, which compute curve topology. Our software is among the most robust, and its runtimes are comparable, or within a small constant factor, with respect to the C/C++ libraries.
Recently, Mahloujifar and Mahmoody (TCC'17) studied attacks against learning algorithms using a special case of Valiant's malicious noise, called p-tampering, in which the adversary gets to change any training example with independent probability p but is limited to only choose 'adversarial' examples with correct labels. They obtained p-tampering attacks that increase the error probability in the so called 'targeted' poisoning model in which the adversary's goal is to increase the loss of the trained hypothesis over a particular test example. At the heart of their attack was an efficient algorithm to bias the expected value of any bounded real-output function through p-tampering.In this work, we present new biasing attacks for increasing the expected value of bounded real-valued functions. Our improved biasing attacks, directly imply improved p-tampering attacks against learners in the targeted poisoning model. As a bonus, our attacks come with considerably simpler analysis. We also study the possibility of PAC learning under p-tampering attacks in the non-targeted (aka indiscriminate) setting where the adversary's goal is to increase the risk of the generated hypothesis (for a random test example). We show that PAC learning is possible under p-tampering poisoning attacks essentially whenever it is possible in the realizable setting without the attacks. We further show that PAC learning under 'no-mistake' adversarial noise is not possible, if the adversary could choose the (still limited to only p fraction of) tampered examples that she substitutes with adversarially chosen ones. Our formal model for such 'bounded-budget' tampering attackers is inspired by the notions of (strong) adaptive corruption in secure multi-party computation.
This paper is concerned with exact real solving of well-constrained, bivariate algebraic systems. The main problem is to isolate all common real roots in rational rectangles, and to determine their intersection multiplicities. We present three algorithms and analyze their asymptotic bit complexity, obtaining a bound of O B (N 14 ) for the purely projectionbased method, and O B (N 12 ) for two subresultant-based methods: we ignore polylogarithmic factors, and N bounds the degree and the bitsize of the polynomials. The previous record bound was O B (N 16 ). Our main tool is signed subresultant sequences, extended to several variables by the technique of binary segmentation. We exploit recent advances on the complexity of univariate root isolation, and extend them to multipoint evaluation, to sign evaluation of bivariate polynomials over two algebraic numbers, and real root counting for polynomials over an extension field. Our algorithms apply to the problem of simultaneous inequalities; they also compute the topology of real plane algebraic curves in O B (N 12 ), whereas the previous bound was O B (N 16 ). All algorithms have been implemented in maple, in conjunction with numeric filtering. We compare them against fgb/rs and system solvers from synaps; we also consider maple libraries insulate and top, which compute curve topology. Our software is among the most robust, and its runtimes are comparable, or within a small constant factor, with respect to the C/C++ libraries.
Abstract-Society is moving towards a socio-technical ecosystem in which physical and virtual dimensions of life are intertwined and where people interactions ever more take place with or are mediated by machines. Hybrid Diversity-aware Collective Adaptive Systems (HDA-CAS) is a new generation of sociotechnical systems where humans and machines synergetically complement each other and operate collectively to achieve their goals. HDA-CAS introduce the fundamental properties of hybridity and collectiveness, hiding from the users the complexities associated with managing the collaboration and coordination of machine and human computing elements. In this paper we present an HDA-CAS system called SmartSociety, supporting computations with hybrid human/machine collectives. We describe the platform's architecture and functionality, validate it on two real-world scenarios involving human and machine elements and present a performance evaluation.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.
customersupport@researchsolutions.com
10624 S. Eastern Ave., Ste. A-614
Henderson, NV 89052, USA
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Copyright © 2024 scite LLC. All rights reserved.
Made with 💙 for researchers
Part of the Research Solutions Family.