Search Results for author:
Found 20 papers, 12 papers with code
Multistep Inverse Is Not All You Need
In this work, we consider the Ex-BMDP model, first proposed by Efroni et al. (2022), which formalizes control problems where observations can be factorized into an action-dependent latent state which evolves deterministically, and action-independent time-correlated noise.
Invariant Learning via Diffusion Dreamed Distribution Shifts
Using the validation set, we evaluate several popular DNN image classifiers and find that the classification performance of models generally suffers on our background diverse images.
Goal-Conditioned Q-Learning as Knowledge Distillation
We empirically show that this can improve the performance of goal-conditioned off-policy reinforcement learning when the space of goals is high-dimensional.
Lethal Dose Conjecture on Data Poisoning
Deep Partition Aggregation (DPA) and its extension, Finite Aggregation (FA) are recent approaches for provable defenses against data poisoning, where they predict through the majority vote of many base models trained from different subsets of training set using a given learner.
Provable Adversarial Robustness for Fractional Lp Threat Models
Our approach builds on a recent work, Levine and Feizi (2021), which provides a provable defense against L_1 attacks.
Improved Certified Defenses against Data Poisoning with (Deterministic) Finite Aggregation
DPA predicts through an aggregation of base classifiers trained on disjoint subsets of data, thus restricting its sensitivity to dataset distortions.
Certifying Model Accuracy under Distribution Shifts
Certified robustness in machine learning has primarily focused on adversarial perturbations of the input with a fixed attack budget for each point in the data distribution.
Segment and Complete: Defending Object Detectors against Adversarial Patch Attacks with Robust Patch Detection
In addition, we design a robust shape completion algorithm, which is guaranteed to remove the entire patch from the images if the outputs of the patch segmenter are within a certain Hamming distance of the ground-truth patch masks.
Policy Smoothing for Provably Robust Reinforcement Learning
Prior works in provable robustness in RL seek to certify the behaviour of the victim policy at every time-step against a non-adaptive adversary using methods developed for the static setting.
Improved, Deterministic Smoothing for L_1 Certified Robustness
To the best of our knowledge, this is the first work to provide deterministic "randomized smoothing" for a norm-based adversarial threat model while allowing for an arbitrary classifier (i. e., a deep model) to be used as a base classifier and without requiring an exponential number of smoothing samples.
Deep Partition Aggregation: Provable Defenses against General Poisoning Attacks
Against general poisoning attacks where no prior certified defenses exists, DPA can certify $\geq$ 50% of test images against over 500 poison image insertions on MNIST, and nine insertions on CIFAR-10.
Tight Second-Order Certificates for Randomized Smoothing
In this work, we show that there also exists a universal curvature-like bound for Gaussian random smoothing: given the exact value and gradient of a smoothed function, we compute a lower bound on the distance of a point to its closest adversarial example, called the Second-order Smoothing (SoS) robustness certificate.
Certifying Confidence via Randomized Smoothing
It uses the probabilities of predicting the top two most-likely classes around an input point under a smoothing distribution to generate a certified radius for a classifier's prediction.
Dual Manifold Adversarial Robustness: Defense against Lp and non-Lp Adversarial Attacks
Using OM-ImageNet, we first show that adversarial training in the latent space of images improves both standard accuracy and robustness to on-manifold attacks.
Deep Partition Aggregation: Provable Defense against General Poisoning Attacks
Our defense against label-flipping attacks, SS-DPA, uses a semi-supervised learning algorithm as its base classifier model: each base classifier is trained using the entire unlabeled training set in addition to the labels for a partition.
(De)Randomized Smoothing for Certifiable Defense against Patch Attacks
In this paper, we introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size, no patch adversarial examples exist.
Curse of Dimensionality on Randomized Smoothing for Certifiable Robustness
Notably, for $p \geq 2$, this dependence on $d$ is no better than that of the $\ell_p$-radius that can be certified using isotropic Gaussian smoothing, essentially putting a matching lower bound on the robustness radius.
Robustness Certificates for Sparse Adversarial Attacks by Randomized Ablation
This is comparable to the observed empirical robustness of unprotected classifiers on MNIST to modern L_0 attacks, demonstrating the tightness of the proposed robustness certificate.
Wasserstein Smoothing: Certified Robustness against Wasserstein Adversarial Attacks
An example of an attack method based on a non-additive threat model is the Wasserstein adversarial attack proposed by Wong et al. (2019), where the distance between an image and its adversarial example is determined by the Wasserstein metric ("earth-mover distance") between their normalized pixel intensities.
Certifiably Robust Interpretation in Deep Learning
Deep learning interpretation is essential to explain the reasoning behind model predictions.
