csce585-mlsystems / project-athena

This is the course project for CSCE585: ML Systems. Students will build their machine learning systems based on the provided infrastructure --- Athena.
MIT License
13 stars 19 forks source link
adversarial-attacks adversarial-defense adversarial-example adversarial-machine-learning machine-learning-systems

Project ATHENA

This is the course project for CSCE585. Students will build their machine learning systems based on the provided infrastructure --- Athena.

Overview

This project assignment is a group assignment. Each group of students will design and build an adversarial machine learning system on top of the provided framework (ATHENA) then evaluate their work accordingly. The project will be evaluated on a benchmark dataset MNIST. This project will focus on supervised machine learning tasks, in which all the training data are labeled. Moreover, we consider only evasion attacks in this project, which happens at the test phase (i.e., the targeted model has been trained and deployed).

Each team should finish three tasks independently --- two core adversarial machine learning tasks and a competition task.

Submission

Each team should submit all materials that enable an independent group to replicate the results, which includes but not least:

Teams

Given Materials

Task 1. Generate Adversarial Examples

This task is an essential warm-up task for all groups, aiming to help students get familiar with the ATHENA framework and necessary background regarding the adversarial machine learning tasks.

In this task, students will generate adversarial examples in the context of the zero-knowledge threat model (Section III.D, ATHENA paper) using 2 to 3 different attack methods. You can generate the adversarial examples using the attacks provided by ATHENA or new attacks by extending ATHENA. For the groups who implement a new attack, we consider 5% of additional points as a bonus. Each group should aim for at most one new attack.

The attacks implemented by ATHENA [40%]:

  1. FGSM
  2. BIM (l2- and linf- norms)
  3. CW (l2- and linf- norms)
  4. JSMA
  5. PGD
  6. MIM
  7. DeepFool
  8. One-Pixel (black-box attack, not suitable for this task)
  9. Spatially Transformed Attack
  10. Hop-Skip-Jump (black-box attack, not suitable for this task)
  11. ZOO

Other possible attacks [5%]:

  1. Obfuscated Gradient
  2. DDA (Distributionally Adversarial Attack)
  3. ENA (Elastic-net Attack)
  4. GAN-based Attacks
  5. etc.

Note: You are encouraged to explore for new attacks not listed. Some good resources are related studies in recent years, NeurIPS adversarial competitions, and surveys in adversarial machine learning.

Task 2. Extension of ATHENA

There are multiple options for task 2 with various bonuses. Each team should pick one and only one for the task 2 assignment. Each optional task 2 allows limited groups, so first come, first served. We will post a note on piazza to collect the claims. A random assignment will be assigned by us if any team that does not claim for task 2 assignment before task 1 is due. Claim your task 2 here.

Option 1. Optimazation-based white-box attack

In this task, students aim to generate adversarial examples based on the vanilla ATHENA in the context of the white-box threat model (Section III.F in ATHENA paper) and then evaluate the effectiveness of the crafted adversarial examples. Each group should aim to generate the adversarial examples using at most 2 attacks. For each attack, generate around 5 variants by varying tunable parameters. Evaluate the successful rate of the crafted adversarial examples on the vanilla ATHENA. Compare the adversarial examples generated in Task 2 with those generated in Task 1 and the baseline adversarial examples provided by us.

Report:

  1. Introduce the approaches that are used in the task.
  2. Experimental settings --- the values of the tunable parameters for each variant.
  3. Evaluation results and necessary analysis.
  4. Contribution of individual team members.
  5. Citations to all related works.

Optimization-based approaches (already implemented in ATHENA, no bonus):

1. Xuanqing Liu, Minhao Cheng, Huan Zhang, Cho-Jui Hsieh. Towards Robust Neural Networks via Random Self-ensemble. ECCV 2018.
2. Anish Athalye, Logan Engstrom, Andrew Ilyas, Kevin Kwok. Synthesizing Robust Adversarial Examples. ICML 2018

Note:

Option 2. Learning-based strategy

Students aim to build a model in this task, which takes the predictions from weak defenses as the input and produces the final label for the input image. That is, rather than using a fixed ensemble strategy (MV, AVEP, etc.), students train a model to utilize the predictions from weak defenses. Each group should aim to implement one approach. Evaluate your defenses against the benign samples, the adversarial examples generated in Task 1, and the baseline adversarial examples.

Report:

  1. Introduce the approaches that are used in the task.
  2. Experimental settings --- the values of the tunable parameters for each variant.
  3. Evaluation and necessary analysis.
  4. Contribution of individual team members.
  5. Citations to all related works.

Possible solutions:

1. [+20%] Forest Agostinelli, Michael R. Anderson, and Honglak Lee. Adaptive Multi-Column Deep Neural Networks with Application to Robust Image Denoising. NIPS 2018.
2. [+20%] Geoffrey Hinton, Oriol Vinyals, and Jeff Dean. Distilling the Knowledge in a Neural Network. ICLR 2015.

Note: You are encouraged to explore new approaches not listed.

Option 3. Probabilistic ATHENA

Students aim to build an ensemble from a library of probabilistic models (such as Bayesian Neural Networks) in this task. Each group should aim to build a library of 5 to 20 weak defenses and then build the ensembles from the library. Evaluate your defenses against the benign samples, the adversarial examples generated in Task 1, and the baseline adversarial examples.

Report:

  1. Introduce the approaches that are used in the task.
  2. Experimental settings --- the values of the tunable parameters for each variant.
  3. Evaluation of defenses' effectiveness and necessary analysis.
  4. Contribution of individual team members.
  5. Citations to all related works.

Note: You are encouraged to explore new approaches not listed.

Option 4. Hybrid ATHENA

Students aim to build a hybrid ensemble from a library of diverse types of weak defenses in this task. Students should aim to build a couple of ensemble variants with various sizes.

Two major approaches:

  1. [10%] Randomly select n weak defenses from the library for the ensemble.
  2. [20%] Select n weak defenses via some search-based approaches. For example, Greedy search for n weak defenses that gives the maximal/minimal value according to a specific metric (e.g., entropy, ensemble diversity, etc.)

Report:

  1. Introduce the approaches that are used in the task.
  2. Experimental settings --- the values of the tunable parameters for each variant.
  3. Evaluation of defenses' effectiveness and necessary analysis.
  4. Contribution of individual team members.
  5. Citations to all related works.

Note: You are encouraged to explore new approaches not listed.

Task 3. Project Presentation (video recording)

Each group is required to submit a 5-minute presentation video for their final project. Students can be as creative as they like for their video presentations. The easiest option is to create a slide deck together as a team and record yourselves presenting the slide deck as a group using zoom. Each student member should speak during the presentation. Also, we prefer if students use webcam, so we can see you in the video recordings.

The following is a suggested structure for the video presentation. You don't necessarily have to organize your presentation using these sections in this order, but that would likely be a good starting point for most projects.

How to submit:

  1. A link to your slides: You can use a cloud service such as OneDrive/DropBox or you can publish your presentation on SlideShare/SpeakerDeck and share the link with us.
  2. A link to your video recording: You are encouraged to use YouTube to publish your presentation, you can also share the video recording with us via a cloud link (OneDrive or DropBox).

Research Projects (Optional)

If a team wants to go beyond the mandatory tasks and do some extra tasks (totally optional, but highly encouraged), we have some exciting possibilities.

Defense, Architecture

Deployment

Deploy the defense on a physical device such as AWS DeepLense or NVIDIA Platforms (TX1, TX2, Xavier). We have these platforms in the AISys lab and we can facilitate access to these devices for doing some exciting experiments. As you know, with ATHENA, there is a tradeoff space (adding/removing WDs and changing ensemble strategy) and you can test it with physical environments. This requires some creativity and motivation to come up with some nice experiments and demo. This optional task is highly encouraged for highly motivated students who want to learn more about adversarial ML and do some research in this direction.