Machine learning models, especially deep neural networks, have been shown to be vulnerable to multiple attacks, e.g., dataset poisoning, backdoor attacks, and adversarial examples, that apply near-imperceptible perturbations to training or test data but yield undesirable outcomes in the machine learning models. The majority of research in this area focuses on benchmark image classification datasets. In natural images, the cost associated with each perturbation is generally calculated by taking some measure of distance between the original and perturbed samples. In this context, an attack is successful if the attack fools a target model and its cost does not exceed a specified threshold. This project is interested in exploring adversarial machine learning techniques in domains where the cost associated with “perturbations” is more restrictive. Interns on this topic will help explore the effectiveness of the existing attack literature on problem domains with additional constraints. Results will be used to explore the generalizability of current adversarial machine learning methods. In the case of adversarial examples, perturbations are typically generated for a specific data sample, however recent work shows that some perturbations may be universal across images and architectures. A goal of this effort is to reconcile this universal approach with the standard individual approach as a method of increasing the generalizability and lowering the cost of generating adversarial attacks against machine learning models. This effort will proceed by implementing various existing perturbation and adversarial attack methods, performing numerical experiments by applying the perturbation techniques to new datasets in non-imagery domains, and exploring the mathematics underlying generalizability of the perturbation and adversarial attack methods.

Organization: Griffiss