Description
Deep Neural Networks (DNNs) have been very successful in various areas of Artificial
Intelligence, especially in Computer Vision. Despite being known for its good generalization
performance in various supervised tasks, DNNs have shown to be highly sensitive
to adversarial attacks. Namely, even very small changes in the input, have caused them to
make wrong decisions. Therefore, some researchers have been questioning the generalization
skills of DNNs, while others have been associating this sensitivity with different factors such
as the linear/non-linear nature of DNNs and the curvature/geometry of the classification
boundaries. One very popular method to protect DNNs from adversarial attacks has been
Adversarial Training (AT). The AT method is considered to be a regularization technique
that during training augments the set of clean examples with the Adversarial Examples
(AdvEs), this way learning new features and making the network more robust to new changes.
However, despite the benefits that AT has brought on achieving adversarial robustness, it
possesses also a variety of disadvantages. Due to the high computational costs, one of its main
disadvantages is the necessity of including AdvEs in the training process. Therefore in this
master thesis, we have been focused on finding other regularization techniques which would
mimic the behavior of AT or even improve the robustness of DNNs against AdvEs. We have
combined concepts such as Lipschitz Constant, Spectral Normalization and Orthogonality
of weight matrices to examine the robustness of the DNNs, where we have achieved good
comparable results to AT.
|
Thesis topic in co-operation with the Fraunhofer Institute for Applied and Integrated Security AISEC, Garching