Deep neural networks are now incredibly accurate on a range of benchmark tasks. However, they remain susceptible to adversarial examples, or small perturbations that change a model’s predictions. Researchers have made great progress in verifying models against specific adversarial threat models when considering test data from the same distribution as the training data. How will these verified models behave under distributional shift? You will consider several forms of distributional shift and understand how they affect verified models.
How do verified models behave under distributional shift?
Generating images is a fundamental problem of computer vision. Modern techniques typically involve GANs, but recent work has shown that deep neural networks that are robust to specific adversaries can be used for generation (see starting paper). This work has only explored models robust to L∞ perturbations. Are models that are robust to other threat models also useful in generation? You will explore this question and how robustness can be used in generation in this project.
How does the type of adversarial robustness affect a model’s generative properties.
Deep neural networks are now incredibly accurate on a range of benchmark tasks. However, they remain susceptible to adversarial examples, or small perturbations that change a model’s predictions. Recent work has shown that training on data corrupted by an adversary can give good clean test accuracy (see starting paper and associated blog post for specific experimental details). Can the opposite phenomena happen? Is it possible to train an adversarially robust model without attacking it during training? You will explore this question.
NOTE: Due to computational constraints, this project will involve the instructor running code that you write. Please contact Daniel ASAP if you are interested in this project.
How much are adversarial examples a property of the training dataset?
Performing inference with modern DNNs can be extremely expensive. Researchers have constructed many techniques to reduce the cost of inference, ranging from model compression, knowledge distillation, and even regularization techniques for higher accuracy smaller models. Which of these techniques is the best for training DNNs for high-performance inference? Do these techniques combine? You will explore these questions in this project.
What is the best way to train DNNs for high-performance inference?
Deep neural networks are now incredibly accurate on a range of benchmark tasks. However, they remain susceptible to adversarial examples, or small perturbations that change a model’s predictions. Recent work suggests that adding stochastic noise to inputs can improve robustness against adversaries. However, two major questions remain. First, assessing robustness can be extremely difficult. Are these results correct? Second, do these results hold against unforeseen adversaries? You will answer these questions in this project.
Can stochasticity improve robustness against adversaries?