Is Deep Learning Safe for Robot Vision? Adversarial Examples Against the iCub Humanoid

Melis, Marco; Demontis, Ambra; Biggio, Battista; Brown, Gavin; Fumera, Giorgio; Roli, Fabio

doi:10.1109/iccvw.2017.94

Cited by 72 publications

(82 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Szegedy et al [51] first showed that neural networks are vulnerable to small perturbations on inputs. It has since been shown that such examples can be exploited to attack machine learning systems in safety-critical applications such as autonomous robotics [36] and malware classication [19].…”

Section: Related Workmentioning

confidence: 99%

Optimization and abstraction: a synergistic approach for analyzing neural network robustness

Anderson

Pailoor

Dillig

et al. 2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

In recent years, the notion of local robustness (or robustness for short) has emerged as a desirable property of deep neural networks. Intuitively, robustness means that small perturbations to an input do not cause the network to perform misclassifications. In this paper, we present a novel algorithm for verifying robustness properties of neural networks. Our method synergistically combines gradient-based optimization methods for counterexample search with abstraction-based proof search to obtain a sound and (δ -)complete decision procedure. Our method also employs a data-driven approach to learn a verification policy that guides abstract interpretation during proof search. We have implemented the proposed approach in a tool called Charon and experimentally evaluated it on hundreds of benchmarks. Our experiments show that the proposed approach significantly outperforms three state-of-the-art tools, namely AI 2 , Reluplex, and Reluval.

show abstract

Section: Related Workmentioning

confidence: 99%

Optimization and abstraction: a synergistic approach for analyzing neural network robustness

Anderson

Pailoor

Dillig

et al. 2019

Proceedings of the 40th ACM SIGPLAN Conference on Programming Language Design and Implementation

View full text Add to dashboard Cite

show abstract

“…Even if the majority of approaches implementing rejection or abstaining classifiers have not considered the problem of defending against adversarial examples, some recent work has explored this direction too [12], [13]. Nevertheless, with respect to the approach proposed in this work, they have only considered the output of the last network layer and perform rejection based solely on that specific feature representation.…”

Section: B Experimental Resultsmentioning

confidence: 99%

“…In particular, Bendale and Boult [13] have proposed a rejection mechanism based on reducing the open-set risk in the feature space of the activation vectors extracted from the last layer of the network, while Melis et.al. [12] have applied a threshold on the output of an RBF SVM classifier. Despite these differences, the rationale of the two approaches is quite similar and resembles the older idea of distance-based rejection.…”

Section: B Experimental Resultsmentioning

confidence: 99%

Deep neural rejection against adversarial examples

Sotgiu

Demontis

Melis

et al. 2020

EURASIP J. on Info. Security

Self Cite

View full text Add to dashboard Cite

Despite the impressive performances reported by deep neural networks in different application domains, they remain largely vulnerable to adversarial examples, i.e., input samples that are carefully perturbed to cause misclassification at test time. In this work, we propose a deep neural rejection mechanism to detect adversarial examples, based on the idea of rejecting samples that exhibit anomalous feature representations at different network layers. With respect to competing approaches, our method does not require generating adversarial examples at training time, and it is less computationally demanding. To properly evaluate our method, we define an adaptive white-box attack that is aware of the defense mechanism and aims to bypass it. Under this worst-case setting, we empirically show that our approach outperforms previously-proposed methods that detect adversarial examples by only analyzing the feature representation provided by the output network layer.

show abstract

“…Unlike the traditional computing algorithms, ML algorithms dynamically change the computational flow with respect to the input data, which increases the energy overhead. Moreover, due to the unpredictability of the computing in hidden layers of neural networks, these algorithms possess several security vulnerabilities which result in increased system vulnerability towards security threats [8]- [11]. Some example are: Amazon echo hacking [8], Facebook chatbots [8], selfdriving bus crashes (on its very first day in Las Vegas) [13].…”

Section: Fig 2: Applications Of Machine Learning Algorithms (Source mentioning

confidence: 99%

Security for Machine Learning-Based Systems: Attacks and Challenges During Training and Inference

Khalid

Hanif

Rehman

et al. 2018

2018 International Conference on Frontiers of Information Technology (FIT)

View full text Add to dashboard Cite

The exponential increase in dependencies between the cyber and physical world leads to an enormous amount of data which must be efficiently processed and stored. Therefore, computing paradigms are evolving towards machine learning (ML)-based systems because of their ability to efficiently and accurately process the enormous amount of data. Although MLbased solutions address the efficient computing requirements of big data, they introduce (new) security vulnerabilities into the systems, which cannot be addressed by traditional monitoringbased security measures. Therefore, this paper first presents a brief overview of various security threats in machine learning, their respective threat models and associated research challenges to develop robust security measures. To illustrate the security vulnerabilities of ML during training, inferencing and hardware implementation, we demonstrate some key security threats on ML using LeNet and VGGNet for MNIST and German Traffic Sign Recognition Benchmarks (GTSRB), respectively. Moreover, based on the security analysis of ML-training, we also propose an attack that has a very less impact on the inference accuracy. Towards the end, we highlight the associated research challenges in developing security measures and provide a brief overview of the techniques used to mitigate such security threats.

show abstract

Is Deep Learning Safe for Robot Vision? Adversarial Examples Against the iCub Humanoid

Cited by 72 publications

References 27 publications

Optimization and abstraction: a synergistic approach for analyzing neural network robustness

Optimization and abstraction: a synergistic approach for analyzing neural network robustness

Deep neural rejection against adversarial examples

Security for Machine Learning-Based Systems: Attacks and Challenges During Training and Inference

Contact Info

Product

Resources

About