- This event has passed.
Dissertation Proposal Oral Presentation, Jieren Deng
March 7 @ 10:00 am - 11:00 am EST
Title: Certifiably Robust Classification with Latent Denoising
Ph.D. Candidate: Jieren Deng
Major Advisor: Dr. Derek Aguiar
Associate Advisors: Dr. Jinbo Bi, Dr. Yuan Hong, Dr. Kaleel Mahmood
Committee Members: Dr. Caiwen Ding, Dr. Fei Miao
Date/Time: Thursday, March 7th, 2024, 10:00 AM
Location: HBL Class of 1947 Conference Room
Meeting link: https://uconn-cmr.webex.com/meet/jid20004
Abstract
Deep neural networks have demonstrated remarkable effectiveness in image classification tasks, but they are vulnerable to adversarial attacks, which causes the model to confidently misclassify adversarially perturbed images. Empirical observations suggest that denoising autoencoders and diffusion models, which are used to purify adversarial perturbations prior to classification, provide notable improvements in robustness when compared with traditional adversarial training methods. Recent random smoothing techniques have been used to certify classifiers, providing tight robustness guarantees within an L2 radius. However, without explicit constraints on the latent representation of an image, the denoising process is challenging to interpret and the perturbation magnitude is difficult to calibrate.
In this dissertation proposal, we will begin by describing our prior work on developing attacks and defenses for deep neural networks before proposing a statistical autoencoder that expands the certified robustness radius by denoising adversarial examples in latent space. We hypothesize that by ensuring statistical indistinguishability from Gaussianity in the latent space, we can interpret denoising paths for adversarial examples and more precisely calibrate the certified robustness radius. The key questions we aim to answer include: (1) Can denoising adversarial examples in the latent space extend the certified robustness radius for a pre-trained classifier? (2) Can we leverage the assumption that the latent space is statistically indistinguishable from multivariate Gaussian to formulate a larger certified robustness radius? (3) What properties of multivariate Gaussianity influence the certified robustness radius?
