The present invention generally relates to the detection in sensing systems based on neural networks. More particularly, the present invention relates to sensing and/or classifying method and system, for processing predictions and/or classifications in the presence of adversarial perturbations.
The present invention finds application in any sensing system, as for example used in the automotive sector, which employs a neural network (NN) for classification/prediction purposes.
As is known, neural network models can be viewed as mathematical models defining a function f: X→Y. It is known in the art that, besides the great potential of (deep-)neural networks, these functions are vulnerable to adversarial perturbations (c.f. Szegedy, C., Zaremba, W., Sutskever, I., Bruna, J., Erhan, D., Goodfellow, I., & Fergus, R. (2013). Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199). That is, correctly classified samples can be slightly perturbed in a way that the classification changes tremendously and becomes wrong. Such perturbations can be the result of an adversarial attack, but they can also occur by chance. Hence, it is necessary, in particular for safety critical applications, to have mechanisms to detect such perturbed inputs in order to interpret the corresponding classification accordingly.
The role of a derivative of the network function with respect to the input has been discussed in (i) Hein, M., & Andriushchenko, M. (2017). Formal guarantees on the robustness of a classifier against adversarial manipulation. In Advances in Neural Information Processing Systems (pp. 2266-2276, and in (ii) Simon-Gabriel, C. J., 011ivier, Y., Schölkopf, B., Bottou, L., & Lopez-Paz, D. (2018). Adversarial Vulnerability of Neural Networks Increases With Input Dimension. arXiv preprint arXiv:1802.01421.
A problem addressed by the present invention is how to provide effective neural network-based sensing and/or classifying methods and systems that reduce or eliminate the effects of the presence of adversarial perturbations upon predictions and/or classifications.
In order to overcome the abovementioned problems, in one aspect there is provided a method of processing predictions in the presence of adversarial perturbations in a sensing system comprising a processor and, coupled thereto, a memory. It should be noted that in the context of the invention the expressions “processor” and “memory” are not limited to specific implementations of the processing environment. The processor and memory may e.g. be standard processors used in computers or common computing devices. On the other hand, the skilled person will appreciate that a neural network may implemented in some other hardware device that might be dedicated to neural networks (devices with a network structure burned into their circuitry are expected to be available in the future). These and other possible implementations of “processor” and “memory” devices are also encompassed by the expressions.
The processor may be configured to connect to one or more sensors for receiving inputs (x) therefrom. The processor may be configured to run a module in the memory for implementing a neural network. The neural network may have a network function fθ, where θ are network parameters. The method may be executed by the processor and comprise generating, from the inputs (x) including at least a given input (x0), respective outputs, the outputs being predictions of the neural network and including a given output y corresponding to the given input (x0), where y=fθ (x0). The method may further comprise generating, from a plurality of outputs including the given output y, a measurement quantity (m). The measurement quantity m may be, at or near the given input (x0), (i) a first measurement quantity M1 corresponding to a gradient of the given output y, (ii) a second measurement quantity M2 corresponding to a gradient of a predetermined objective function derived from a training process for the neural network, or (iii) a third measurement quantity M3 derived from a combination of M1 and M2. The method may further comprise determining whether the measurement quantity (m) is equal to or greater than a threshold. The method may further comprise, if the measurement quantity (m) is determined to be equal to or greater than the threshold, performing one or more remedial actions to correct for a perturbation.
Preferably, the method further comprises, if the measurement quantity (m) is determined to be less than the threshold, performing a predetermined usual action resulting from y.
In an embodiment, generating the first measurement quantity M1 comprises: computing a gradient Dxfθ of the network function fθ with respect to the input (x); and deriving the first measurement quantity M1 as the value of gradient Dxfθ corresponding to the given input (x0). Preferably, deriving the first measurement quantity M1 comprises determining the Euclidean norm of Dxfθ corresponding to the given input (x0).
In an embodiment, generating the second measurement quantity M2 comprises: computing a gradient Dθ J(X,Y, fθ) of the objective function by J(X,Y,fθ) with respect to the network parameters fθ, whereby J(X,Y, fθ) has been previously obtained by calibrating the network function fθ in an offline training process based on given training data; and deriving the second measurement quantity M2 as the value of gradient Dθ J(X,Y,fθ) corresponding to the given input (x0). Preferably, deriving the second measurement quantity M2 comprises determining the Euclidean norm of Dθ J(X,Y,fθ) corresponding to the given input (x0).
In embodiments, the third measurement quantity M3 is computed as a weighted sum of the first measurement quantity M1 and the second measurement quantity M2.
The first measurement quantity M1, the second measurement quantity M2 and/or the third measurement quantity M3 may be generated based on a predetermined neighborhood of inputs (x) including the given input (x0). Preferably, the predetermined neighborhood of inputs includes a first plurality of inputs prior to the the given input (x0) and/or a second plurality of inputs after the the given input (x0). Preferably, the number in the first plurality and/or the second plurality is 2-10, more preferably 2-5, more preferably 2-3.
In an embodiment, the one or more remedial actions comprise saving the value of fθ(x0) and wait for a next output fθ(x1) in order to verify fθ(x0) or to determine that it was a false output.
In an embodiment, the sensing system includes one or more output devices, and the one or more remedial actions comprise stopping the sensing system and issuing a corresponding warning notice via an output device.
In an embodiment, the one or more remedial actions comprise rejecting the prediction fθ(x0) and stopping any predetermined further actions that would result from that prediction.
According to another aspect, there is provided a method of classifying outputs of a sensing system employing a neural network, the method comprising, if the measurement quantity (m) is determined to be less than the threshold, performing a predetermined usual action resulting from y, wherein the predetermined usual action or the predetermined further actions comprise determining a classification or a regression based on the prediction y.
Preferably, the sensing system includes one or more output devices and one or more input devices, and wherein the method further comprises: outputting via an output device a request for a user to approve or disapprove a determined classification, and receiving a user input via an input device, the user input indicating whether the determined classification is approved or disapproved.
According to another aspect, there is provided a sensing and/or classifying system, for processing predictions and/or classifications in the presence of adversarial perturbations, the sensing and/or classifying system comprising: a processor and, coupled thereto, a memory, wherein the processor is configured to connect to one or more sensors for receiving inputs (x) therefrom, wherein the processor is configured to run a module in the memory for implementing a neural network, the neural network having a network function fθ, where θ are network parameters, and wherein the processor, is configured to execute one or more embodiments of the method as described above.
According to another aspect of the invention there is provided a vehicle comprising a sensing and/or classifying system as described above.
The invention, at least in some embodiments, provides a method that supports the robustness and safety of systems that implement a neural network for classification purposes. To this end, a method is formulated to measure whether a sample at hand (x0) might be located in a region of the input space where the neural network does not perform in a reliable manner. Beneficially, the disclosed techniques exploit the analytical properties of the neural network. More precisely, the disclosed techniques implement the gradients of the neural network which then deliver sensitivity information about the decision at a given sample.
An advantage of the invention, at least in some embodiments, is to reduce or eliminate the effects of the presence of adversarial perturbations upon predictions and/or classifications.
A further advantage of the invention, at least in some embodiments, is that by deriving analytical characteristics from the neural network, determination of whether the neural network might have had difficulties in performing a reliable prediction is enabled.
Yet further advantages of the invention, at least in some embodiments, include the following: (i) analytical properties of neural network-function may be used to measure reliability; (ii) two measures based on gradients of the neural network and on the underlying objective function used during training, are employed and can be combined to a common criterion for reliability; (iii) robustness measures are tailored to the actual neural network (directly based on the actual neural network); and (iv) the technique is applicable to any domain where neural networks are employed.
Further details and advantages of the present invention will be apparent from the following detailed description of not limiting embodiments with reference to the attached drawing, wherein:
In the drawings, like reference numerals have been used to denote like elements. Any features, components, operations, steps or other elements of one embodiment may be used in combination with those of any other embodiment disclosed herein, unless indicated otherwise hereinbelow.
The system 1 includes a processor 2 and, coupled thereto, one or memories including non-volatile memory (NVM) 3. In the NVM 3 may be stored various software 4 including operating system software 5 and/or one or more software modules 6-1 to 6-n (collectively modules 6). The modules 6 may include a neural network module 6-1 implementing a neural network, as discussed further hereinbelow.
In embodiments, for the purpose of interaction with a user, the system 1 may include one or more input devices 7 and one or more output devices 8. The input devices 7 may include a keyboard or keypad 7-1, a navigation dial or knob/button 7-2 and/or a touchscreen 7-3. The output devices 8 may include a display (e.g. LCD) 8-1, one or more illuminable indicators (e.g. LEDs) 8-2 and/or an audio output device (e.g. speaker) 8-3.
During operation of the neural network module 6-1, the processor 2 may receive input from one or more sensors 9-1, 9-2, . . . , 9-m (collectively sensors 9), for example via respective interfaces 10-1, 10-2, . . . , 10-m (collectively interfaces 10), which are thereafter further processed as discussed in more detail below.
Optionally, the system 1 includes a short-range (e.g. Bluetooth, ZigBee) communications subsystem 11 and/or a long-range (e.g. cellular, such as 4G, 5G) communications subsystem 12, each interface being for receipt and/or transmission of sensor or other data, control parameters, training data, or other system-related data, or for transmission of neural network predictions and/or classifications.
Received at the neural network module 6-1 are successive inputs or samples x, received from sensors 9 via interfaces 10. In embodiments, the neural network module 6-1 may receive the inputs x as raw data, or as pre-processed sensor data through an appropriate pre-processing technique, such as amplification, filtering or other signal conditioning. While denoted simply as x, it will be appreciated that the inputs x may be in the form of signals disposed in an array or matrix corresponding to the configuration of sensors 9.
The underlying principles of the disclosed techniques will be discussed in the following.
For the purpose of illustration, under consideration is a general sensing system that receives data from one or several sensors 9. The system employs a neural network (NN) module 6-1 to make a prediction or classification regarding the environment or some physical quantity.
As an example, the following automotive and other scenarios are envisaged:
It is further assumed that the system (NN module 6-1) uses a NN denoted by f74 (with θ being the network parameters) that receives the raw or pre-processed sensor data (from one or several sensors 9), denoted by x, upon which it performs a prediction or classification.
Returning to the abovementioned example scenarios, the classification/prediction might be as follows:
It is assumed that fθ has been calibrated in an offline training process (based on given training data). This training process is (as it is usually done) performed by solving an optimization problem (fit training data to desired output) that is formulated by means of a certain objective function denoted by J(X,Y,fθ). Here X denotes the set of training data and Y are the corresponding labels (desired output).
In use, the NN module 6-1 is operative, for each input by x, to generate or determine a corresponding output, so for a given input x0 a given output y is determined as y=fθ (x0).
Returning to
In embodiments of the present invention, two characteristics of f74 and J(X,Y,fθ) that can be used in parallel or separately are defined and employed.
In a first embodiment, the gradient of the network function f74 with respect to the input x, which is denoted by Dxfθ, is used.
Here, it is noted that, given an actual input x0 during life-time (of operation of system 1), the magnitude of the entries in the gradient Dxfθ(x0) scales with the sensitivity of the classification in the neighbourhood of the sample x0. In other words, the higher the entries Dxfθ(x0) the more the output fθ(x0+δ) will change for certain perturbations δ. This in turn provides information that allows the determination of whether the input region around the sample x0 constitutes a region of high fluctuation in the classification or not. This gives information about the reliability of the output fθ(x0).
In this first embodiment, therefore, a suitable quantity is derived from Dxfθ(x0) denoted by M1(Dxfθ(x0)) (with, for instance, M1 the Euclidean norm). If this quantity exceeds a predefined threshold, then the system can react accordingly (concrete reactions are formulated below).
In a second embodiment, there is employed Dθ J(X,Y,fθ)—the gradient of the objective function with respect to the network parameters θ.
Here, given an actual input x0 during life-time and the corresponding output fθ(x0)=y0, the magnitude of the entries in the gradient Deθ J(x0, y0, fθ) provides information about whether the system would have learned something when the pair (x0, y0) would have been part of the training data. That is, the higher the entries in Dθ J(x0, y0, fθ) the more the system could have learned from (x0, y0). This in turn allows it to be concluded whether there has been sufficient training data in that input region and whether the system should be capable or not to classify the latter with a sufficiently high confidence. The underlying assumption is that an adversarial perturbation would have given information (high entries in Deθ J(x0, y0, fθ)) to the training process.
In this second embodiment, therefore, a quantity M2(Dθ J(x0, y0, fθ)) derived from Dθ J(x0, y0, fθ)) is used to quantify to what extent one can trust the output fθ(x0). Such quantity M2 could for instance be the Euclidean norm or any other mathematical mapping to a size or length. If this quantity exceeds a predefined threshold, the system can react accordingly.
Both measures M1, M2 can also be evaluated in a reasonable neighbourhood around the sample x0. For example, a predetermined number of values obtained for samples (inputs) prior to and/or after input x0 may be used.
If one or two of the proposed measures M1, M2 indicate that the prediction fθ(x0) is not reliable, then, in embodiments the following are remedial/evasive actions that may be executed:
For illustration, let M(x, fθ) be one of the introduced quantities M1(Dxfθ(x0)), M2(Dθ J(x0, y0, fθ)), a combination (like weighted sum) of the latter, or any other useful mapping. Then a pseudocode of the system may be as follows:
While embodiments have been described by reference to embodiments of survey devices having various components in their respective implementations, it will be appreciated that other embodiments make use of other combinations and permutations of these and other components.
Reference throughout this specification to “one embodiment” or “an embodiment” means that a particular feature, structure or characteristic described in connection with the embodiment is included in at least one embodiment of the present invention. Thus, appearances of the phrases “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment, but may. Furthermore, the particular features, structures or characteristics may be combined in any suitable manner, as would be apparent to one of ordinary skill in the art from this disclosure, in one or more embodiments.
Thus, while there has been described what are believed to be the preferred embodiments of the invention, those skilled in the art will recognize that other and further modifications may be made thereto without departing from the scope of the invention as defined by the claims, and it is intended to claim all such changes and modifications as fall within the scope of the invention. For example, any formulas given above are merely representative of procedures that may be used. Functionality may be added or deleted from the block diagrams and operations may be interchanged among functional blocks. Steps may be added or deleted to methods described within the scope of the present invention.
Number | Date | Country | Kind |
---|---|---|---|
LI101088 | Jan 2019 | LU | national |
Filing Document | Filing Date | Country | Kind |
---|---|---|---|
PCT/EP2020/050083 | 1/3/2020 | WO | 00 |