Sparsity-based Design for Robust Deep Learning - Topic C. iii (3)

Abstract

Deep neural networks represent the state of the art in machine learning in a growing number of fields, including vision, speech and narura1 language processing. While the principles behind learning and inference using neural networks were established many decades ago, their spectacular success over the past decade is generally attributed to a quantum leap in the quantity of training data and the available computation, which allows rapid experimentation with a variety of architectures. The empirical success of such experiments has propelled industry to deploy such networks in a host of arenas, including safety-critical applications such as vehicular autonomy. In principle, such techniques have the potential for revolutionizing situational awareness and autonomy for the battlefield as well. However, important open questions regarding the robustness of deep networks must be answered before this potential can be realized. The proposed research is motivated by the recent discovery that deep neural networks can be easily fooled by tiny, carefully designed, adversarial perturbations. For example, such perturbations would be almost imperceptible to a human observer, but could cause a deep network for computer vision in a self-driving car, to not recognize a stop sign, for example. This phenomenon was pointed out in 2014, and has prompted a flurry of research in adversarial attack and defense in the machine learning community. However, most of this work is again purely empirical in its nature, providing no guarantees on robustness. The goal of the proposed research is to develop a theoretical framework that does provide such guarantees, and to demonstrate its efficacy experimentally. The technical approach in the proposed research is based on the notion of sparsity. The input to neural networks (e.g., an image) is high-dimensional, and small adversarial perturbations can add up to a large number when summed over a large number of dimensions. However, in order for learning and generalization to be possible, the information in the input must lie in a low-dimensional manifold, and hence must be sparse with respect to some basis. The impact of adversarial perturbations can therefore be attenuated by a sparsifying front end which projects the input onto such a basis. Another, complementary, approach to attenuating perturbations is to impose sparsity on the weights of the neural network, as well as the activations of the neurons. The proposed research builds on preliminary results on theoretical guarantees and initial experiments based on such approaches. Topics to be investigated include design of improved, data-adaptive bases for sparsifying front ends, design of networks with sparse weights and activations, and exploration of universal sparsifying front ends. In addition to the primary goal of robustness, a secondary goal is to leverage sparsity as a means of enhancing the interpretability of deep networks, which are currently used in black box fashion.

Document Details

Document Type

DoD Grant Award

Publication Date

Feb 14, 2019

Source ID

W911NF1910053

Entities

Tags