Machine Learning Security on Video and Transfer Learning

Abstract

Adversarial robustness is one of the most important properties of deep neural network (DNN) models because most DNN models are vulnerable to adversarial examples. As an adversarial example can induce misbehavior of DNN models, the arms race between adversarial attacks and defenses had begun. Since new adversarial attacks are devised to bypass existing defenses, identifying and preventing security threats of new adversarial attacks is necessary for building robust DNN systems.

To build robust DNN systems, we address two types of new adversarial attacks: flicker fusion attacks and attacks tailored to transfer learning. First, we propose a novel flicker fusion attack method appropriate for attacking an arbitrary video. As a flicker fusion attack is a newly devised attack methodology, the feasibility of the attack via a different medium (e.g., video) needs to be examined. The key idea of the proposed attack method is suppressing luminance changes induced by the perturbation, as humans are more sensitive to luminance flickering than chromaticity flickering. After demonstrating the effectiveness of the proposed attack method, we suggest a countermeasure against flicker fusion attacks. Second, we propose a defense method against attacks tailored to transfer learning. As transfer learning opens a door for new attacks that generate adversarial examples using the pre-trained teacher model, a defense method against them is required. The key idea of the proposed defense method is to train a student model having a different feature representation from the teacher model. Triplet loss is used to put the mimic attack examples close to their source images and far from their target images in the feature space of the student model. The method is evaluated on three different transfer learning tasks with diverse configurations. Based on such an accomplishment, we present discussions and future works on both studies.