Knowing the Unknown: Exploring the Space of Adversarial Attacks via Causal Learning

Abstract

Deep learning has achieved great success in different areas such as image classification, face recognition, object detection, speech recognition, and language translation. Many of these applications could be mission-critical. Consequently, the need and concern for safety and security of these machine learning algorithms arises. Studies show that deep learning models can be easily fooled by well-crafted examples that are generated with little perturbations that are imperceptible to humans. These examples are called adversarial examples. Adversarial attack in machine learning is a technique that attempts to fool learning models through malicious input. The goals of adversarial examples include confidence reduction, misclassification, source/target misclassification, and targeted misclassification. Adversarial learning is generating alarming surprises and raises the awareness of the vulnerability of many powerful machine learning algorithms. Numerous adversarial-example generation methods are developed to demonstrate their varied strengths in producing adversarial examples. Recent studies also show that adversarial examples can be transferable. The transferability of adversarial examples is the property that adversarial examples produced by training on a specific machine learning model can affect another machine learning model. It is a pertinent and important property in our study of the space of adversarial examples. The effective defense of machine learning algorithms entails the understanding or recognition of adversarial examples. The primary objective of this project is to propose a novel approach and new techniques for exploring the space of adversarial examples, which will significantly help understand adversarial attacks, and improve the robustness and reliability of machine learning algorithms in missioncritical applications. In this research, we employ causal inference to explore the space of adversarial examples. Causal inference is defined with three levels: association, intervention, and counterfactuals. We endeavor to investigate the following research questions: Do these methods generate a gamut of adversarial examples? If not, how can we explore the unknown space of adversarial examples? Is it feasible for the exploration to start with some adversarial examples generated by a single adversarial learning method? On what aspects (e.g., machine learning algorithms, or attack generation methods) is the potency of these adversarial examples dependent? Would the exploration be significantly expanded if a couple of more adversarial learning methods are employed? We propose novel anti-causal and counterfactual learning methods to answer these questions. Adversarial examples generated based on causal learning approaches take advantage of the characteristics of the data and are not dependent on the model characteristics. Following a comparative study, we investigate if these two approaches, causal learning and transferability of adversarial examples, complement each other to expand our search for new adversarial examples. This approach is potentially effective because by knowing what we can maximally know, it would be helpful to push the boundary to explore the unknown. Benchmarking data in adversarial attacks will be used in empirical evaluation. Theoretical results and insights will be given with proofs. The above research issues will be investigated in four research tasks in our endeavor to explore the space of adversarial examples. Task 1: Causal Learning for Exploring the Space of Adversarial Examples; Task 2: Counterfactual Learning for Generation-Method-based Exploration; Task 3: Coverage of Causal Learning vs. Transferability of Adversarial Examples; and Task 4: Theoretical Analysis and Empirical Studies. The proposed research is planned for two years. The findings and results will be shared via publications, technical reports, and data and algorithm repositories.

Document Details

Document Type

DoD Grant Award

Publication Date

Jun 25, 2021

Source ID

W911NF2110030

Entities

Tags