项目来源

香港研究资助局基金(RGC)

项目主持人

黄毅

项目受资助机构

The University of Hong Kong

立项年度

2020

立项时间

未公开

项目编号

17206020

研究期限

未知 / 未知

项目级别

省级

受资助金额

563370.00港币

学科

Computing Science&Information Technology

学科代码

未公开

基金类别

General Research Fund

关键词

未公开

参与者

Prof Daniel,Luca

参与机构

未公开

项目标书摘要：深度神经网络容易受到对抗性攻击大约从5年前开始，机器学习社区就开始关注它，并且仍然是安全关键型应用的重要关注点。2019年10月最新的《自然》杂志文章标题为“为什麽深度学习AI如此容易被愚弄”的回声表明神经网络容易产生对手及其脆弱性是一个具有挑战性的话题。解决这个问题需要一种可靠且有效的方式来评估网络的健壮性，例如最近开发的最小对抗性扰动的认证下限。同时，人工智能(AI)部署的最新发展是卸载神经网络的计算，包括推理和部分训练，来自边缘(例如使用者装置)的中央(例如云端)。这提出了严格的要求由於经常受到资源限制的边缘设备，因此无法实现AI计算。为此，轻巧但功能强大的模型—二进制神经网络已经发展成为传统神经网络的小型，低功耗同类产品。虽然二进制神经网络就其具有与全精度相当的高输出精度而言，很有吸引力网络，其对抗攻击的脆弱性甚至没有得到更多的研究。
        为此，该项目旨在首先研究二进制神经的脆弱性。网络分三步走:i)为下层提出理论和一般量化最小对手的界限;ii)调整最小摄动估计方案用於二进制神经网络；和iii)攻击二进制神经网络以找到上层最小对手的界限。但是，在比较认证的下限(步骤i)直接估计最小摄动(步骤ii)和上限受到攻击的提示(步骤iii),出现了新的挑战—潜在的巨大差距经认证的最小摄动下限和上限。虽然有一些方法可以计算不存在l_p-范数对手的安全区域，现有的最新方法计算出的区域通常太小而无用。在我们的初步研究中，认证人员之间的差距通常不可忽略下限和基於攻击的上限。这种定量上的不一致降低了这些最新的鲁棒性评估方法的实用性。
        因此，该项目的目标是双重的，即从理论上和二进制神经网络的通用漏洞量化，以及设计紧缩最新技术下界的理论界限的框架多层感知器网络，卷积神经网络和递归神经网络的方法。为了实现这些目标，制定了四个主要目标:
        1)使最新的基於验证的漏洞量词适应二进制神经网络;
        2)通过基於验证和基於攻击的方法全面研究传统神经网络和二进制神经网络的脆弱性;
        3)调查每层神经元激活的统计数据并收紧输出通过缩小每一层的间隙来界定边界;
        4)将源代码和基准发布到公共领域。

Application Abstract: Vulnerability Study of Binary Neural NetworksAbstractThe vulnerability of deep neural networks to adversarial attacks has attracted muchattention by the machine learning community since about 5 years ago and remains animportant concern for safety-critical applications.The latest Nature article in Oct 2019titled“Why deep-learning AIs are so easy to fool”echoes that neural networks are proneto adversaries and their vulnerability stands as a challenging topic.Addressing this issuerequires a reliable and efficient way to evaluate the robustness of a network,such asthe recently developed certified lower bounds of the minimum adversarial perturbation.Meanwhile,the latest development in artificial intelligence(AI)deployment is to offloadthe neural network computation,including inference and part of the training,fromcentral(e.g.,cloud)to the edge(e.g.,user devices).This places stringent requirementson the AI computation due to the often resource-constrained edge devices.To this end,light yet powerful models–binary neural networks,have evolved as small-size and low-power counterparts of conventional neural networks.Although binary neural networksare tempting in terms of their equally high output accuracy comparable to full-precisionnetworks,their vulnerability to adversarial attacks has been even less explored.To this end,this project aims to first investigate the vulnerability of binary neuralnetworks in three steps:i)proposing a theoretical and general quantification for the lowerbound of minimum adversary;ii)adapting minimum perturbation estimation schemesfor binary neural networks;and iii)attacking binary neural networks to find an upperbound of the minimum adversary.However,in comparing the certified lower bound(Stepi)to the direct estimation of the minimum perturbation(Step ii)and the upper boundsuggested by attacks(Step iii),new challenges arise–the potentially big gap betweenthe certified lower bound and upper bound of the minimum perturbation.Althoughthere are ways to compute a safety region where no`p-norm adversaries exist,theregion computed by existing state-of-the-art methods are often too small to be useful.In our preliminary study,there were generally non-negligible gaps between the certifiedlower bound and the attack-based upper bound.This inconsistency in the quantificationdiminishes the practicality of these state-of-the-art robustness evaluation approaches.Consequently,the goals of this project are twofold,namely,to derive a theoreticaland general vulnerability quantification for binary neural networks,as well as to designa framework for tightening the theoretical bounds of state-of-the-art lower-boundingmethods for multilayer perceptron networks,convolutional neural networks,and recur-rent neural networks.To accomplish these goals,four main objectives are in place:1)To adapt the latest verification-based vulnerability quantifiers to binary neural net-works;2)To comprehensively study the vulnerability of conventional and binary neural net-works via both verification-based and attack-based methods;3)To investigate the statistics of neuron activations in each layer and tighten the outputbounds by closing the gap of each layer;4)To release source codes and benchmarks into the public domain.The PI and Co-I are recognized in the machine learning community as pioneersin investigating,developing,and promoting network vulnerability quantification algo-rithms.Lately,both the PI and Co-I have begun to extend this quantification into theemerging field of energy-economic machine learning models such as binary neuralnetworks,and have been providing new insights and results from the perspectives ofmodel fragility.Research outputs of this project will generate significant theoretical andpractical value to modern AI computing where model portability and reliability are ofcritical importance.;