How CLEVER is your neural network? Robustness evaluation against adversarial examples
Neural networks are particularly vulnerable to adversarial inputs. Carefully designed perturbations can lead a well-trained model to misbehave, raising new concerns about safety-critical and security-critical applications. Pin-Yu Chen offers an overview of CLEVER, a comprehensive robustness measure that can be used to assess the robustness of any neural network classifiers.
| Talk Title | How CLEVER is your neural network? Robustness evaluation against adversarial examples |
| Speakers | Pin-Yu Chen (IBM Research AI) |
| Conference | Artificial Intelligence Conference |
| Conf Tag | Put AI to Work |
| Location | London, United Kingdom |
| Date | October 9-11, 2018 |
| URL | Talk Page |
| Slides | Talk Slides |
| Video | |
Adversarial examples refer to carefully crafted perturbations such that, when added to natural examples, will lead the state-of-the-art deep neural network models to misbehave. In the image learning tasks, the adversarial perturbations can be made visually imperceptible to human eyes, and therefore resulting in inconsistent decision making between human and well-trained machine learning models, especially for deep neural networks. Even worse, adversarial examples not only exist in the digital space but also have been realized in the physical world by means of colorful stickers or 3D printing, giving rise to rapidly increasing concerns on safety-critical and security-critical machine learning tasks. Despite various efforts to improve the robustness of neural networks against adversarial perturbations, a comprehensive measure of a model’s robustness is still lacking. Current robustness evaluation relies on the empirical defense performance against existing adversarial attacks and may result in a false sense of robustness, since the defense is neither certified nor guaranteed to be generalizable to unseen attacks. CLEVER (Cross Lipschitz Extreme Value for nEtwork Robustness) was created to tackle this challenge. It offers an attack-agnostic measure for evaluating the robustness of any trained neural network classifier against adversarial perturbations. The proposed CLEVER score is: Without invoking any specific adversarial attack, the CLEVER score can be directly used to compare the robustness of different network designs and training procedures towards building more reliable systems, as demonstrated in the paper. One possible use case is the before-after scenario, where users can obtain a score that reflects the improvement in model robustness before and after a given defense strategy. It’s also the first attack-independent robustness metric that can be applied to any neural network classifier. Pin-Yu Chen offers an overview of adversarial attack and defense methods for neural networks, details the CLEVER framework for evaluating model robustness, and shares an intriguing demo of adversarial examples.
