While neural networks have achieved high performance in different learning tasks, their accuracy drops significantly in the presence of small adversarial perturbations to inputs. In the last couple of years, several practical defenses based on regularization and adversarial training have been proposed which are often followed by stronger attacks to defeat them. To escape this cycle, a new line of work focuses on developing certifiably robust classifiers. In these models, for a given input sample, one can calculate a robustness certificate such that for ‘any’ perturbation of the input within the robustness radius, the classification output will ‘provably’ remain unchanged. In this talk, I will present two certifiable defenses: (1) Wasserstein smoothing to defend against non-additive Wasserstein adversarial attacks, and (2) Curvature-based robust training to certifiably defend against L2 attacks by globally bounding curvature values of the network.
This is a joint work with Alex Levine and Sahil Singla.
Soheil Feizi is an assistant professor in the Computer Science Department at University of Maryland, College Park. His research interests are in the area of machine learning and statistical inference. Before joining UMD, he was a post-doctoral research scholar at Stanford University. He received his Ph.D. in EECS with a minor degree in Mathematics from Massachusetts Institute of Technology (MIT). He completed a M.Sc. in EECS at MIT, where he received the Ernst Guillemin award for his thesis, as well as the Jacobs Presidential Fellowship and the EECS Great Educators Fellowship. He is the 2019 recipient of the Simons-Berkeley Research Fellowship on deep learning foundations and has received IBM and Qualcomm faculty awards in 2019. He is the recipient of teaching award in Fall 2018 and Spring 2019 in the CS department at UMD. His work on maximal correlation won the best paper award of IEEE Transactions on Network Science and Engineering, over a three-year period of 2017-2019.