FINDING AND FIXING FRAGILITY IN MACHINE LEARNING
Loading...
Authors
Jatho, Edgar W., III
Subjects
ML safety
adversarial attack defense
evasion attacks
evasion defense
adversarial examples
System Theoretic Process Analysis
STPA
system safety for machine learning
machine learning
ML
fragility
computer vision
DNN classifier
none-of-the-above defense
NOTA
adversarial attack defense
evasion attacks
evasion defense
adversarial examples
System Theoretic Process Analysis
STPA
system safety for machine learning
machine learning
ML
fragility
computer vision
DNN classifier
none-of-the-above defense
NOTA
Advisors
Drusinsky, Doron
Denning, Peter J.
Kroll, Joshua A.
Huntley, Wade L.
Barton, Armon C.
McClure, Patrick
Date of Issue
2023-06
Date
Publisher
Monterey, CA; Naval Postgraduate School
Language
Abstract
This dissertation addresses the general problem that machine learning models are fragile. Fragility arises when composing models into systems or using them in real operational environments. It also arises when model inputs are perturbed, even by small amounts, especially when perturbations are chosen by adversaries. This dissertation applies an existing state-of-the-art safety analysis methodology, System Theoretic Process Analysis (STPA), borrowed from systems safety engineering, to concrete ML applications with notable social and ethical risks to demonstrate a systematic means to argue for safe and trustworthy ML in sociotechnical systems. STPA bridges high-level goals like safety and the AI ethical principles to low level ML life-cycle design and implementation decisions. At the technical level, the dissertation introduces a novel defense for deep neural network (DNN) classifiers which exceeds state-of-the-art adversarial robustness against benchmark attacks for CIFAR-10 and CIFAR-100 datasets. The best defense, a novel stochastic, none-of-the-above (NOTA) defense, LAD-SRNA, achieves AutoAttack attack success rates less than the natural error rate in both datasets with near state-of-the-art accuracy and better than state-of-the-art robustness in classification systems. Finally, this dissertation introduces a total of 16 adaptive attacks, modifying 8 existing state-of-the-art attacks to overcome both NOTA defenses and stochastic defenses as well as a combination of the two.
Type
Thesis
Description
Series/Report No
Department
Computer Science (CS)
Organization
Identifiers
NPS Report Number
Sponsors
Funder
Format
Citation
Distribution Statement
Approved for public release. Distribution is unlimited.
Rights
This publication is a work of the U.S. Government as defined in Title 17, United States Code, Section 101. Copyright protection is not available for this work in the United States.