Essex Data Science Seminar Week 11: Dr Jinyu Tian

Join us for this week's Essex Data Science seminar, Autumn Term 2023. Our ED-3S seminars are open to everyone, and offer a great opportunity to meet new people and join in with our community.

Dr Jinyu Tian, Macau University of Science and Technology, will present this seminar on Discreteness Problem in Adversarial Machine Learning.

Abstract

Adversarial examples (AEs) of deep neural networks (DNNs) are receiving ever-increasing attention because they help in understanding the mechanism of DNNs and provide a novel perspective of the ethics of deep learning applications. In many real scenarios, AEs have to be discrete (e.g. digital images). Most existing works achieve the discreteness relying on the discretization of continuous AEs. Unfortunately, they cannot sufficiently control the spatial difference before and after discretizing continuous AEs, which will leads to two side-effects: degrading the attack capability of the obtained discrete AEs or introducing the extra distortion.

In this work, we propose an adversarial attack called Discrete Attack (DATK) to produce continuous AEs tightly close to their discrete counterparts. Owning the negligible spatial distance between them, the expected discrete AEs perform with the same powerful attack capability as the continuous AEs without an extra distortion overhead. More precisely, the proposed DATK generate AEs from a novel perspective by directly modeling adversarial perturbations (APs) as discrete random variables. The AE generation problem thus reduces to the estimation of the distribution of discrete APs. Since this problem typically is nondifferential, we relax it with the proposed reparameterizing tricks and obtain an approximated continuous distribution of discrete APs. Our theoretical proof shows that, by virtue the continuous APs sampled from the approximated distribution, the spatial distance between the resultant continuous AEs and their discrete counterparts are tightly bounded, which significantly overcomes the side-effects caused by the discretization. Extensive results over Imagenet, Cifar10 and TU Berlin Sketch demonstrate the superiority of our method when attacking representative DNNs including Vgg19, Resnet50, DenseNet121 and MobilenetV2. It is also verified that our DATK is more robust against the state-of-the-art adversarial detection methods.

How to attend

The seminar will be held on Zoom at 14:00 on Thursday 14 December. It is open to everyone, including the general public. Please contact Jianya Lu (jianya.lu@essex.ac.uk) for further information, including the Zoom link.