深度学习模型鲁棒性研究综述

在大数据时代下,深度学习理论和技术取得的突破性进展,为人工智能提供了数据和算法层面的强有力支撑,同时促进了深度学习的规模化和产业化发展.然而,尽管深度学习模型在现实应用中有着出色的表现,但其本身仍然面临着诸多的安全威胁.为了构建安全可靠的深度学习系统,消除深度学习模型在实际部署应用中的潜在安全风险,深度学习模型鲁棒性分析问题吸引了学术界和工业界的广泛关注,一大批学者分别从精确和近似的角度对深度学习模型鲁棒性问题进行了深入的研究,并且提出了一系列的模型鲁棒性量化分析方法.在本综述中,我们回顾了深度学习模型鲁棒性分析问题当前所面临的挑战,并对现有的研究工作进行了系统的总结和科学的归纳,同时明确了当前研究的优势和不足,最后探讨了深度学习模型鲁棒性研究以及未来潜在的研究方向.

Robustness Certification Research on Deep Learning Models:A Survey

In the era of big data,breakthroughs in theories and technologies of deep learning have provided strong support for artificial intelligence at the data and the algorithm level,as well as have promoted the development of scale and industrialization of deep learning in a large number of tasks,such as image classification,object detection,semantic segmentation,natural language processing and speech recognition.However,though deep learning models have excellent performance in many real-world applications,they still suffer many security threats.For instance,it is now known that deep neural networks are fundamentally vulnerable to malicious manipulations,such as adversarial examples that force target deep neural networks to misbehave.In recent years,a plethora of work has focused on constructing adversarial examples in various domains.The phenomenon of adversarial examples demonstrates the inherent lack of robustness of deep neural networks,which limits their use in security-critical applications.In order to build a safe and reliable deep learning system and eliminate the potential security risks of deep learning models in real-world applications,the security issue of deep learning has attracted extensive attention from academia and industry.Thus far,intensive research has been devoted to improving the robustness of DNNs against adversarial attacks.Unfortunately,most defenses are based on heuristics and thus lack any theoretical guarantee,which can often be defeated or circumvented by more powerful attacks.Therefore,defenses only showing empirical success against attacks,are difficult to be concluded robust.Aiming to end the constant arms race between adversarial attacks and defenses,the concept of robustness certification is proposed to provide guaranteed robustness by formally verifying whether a given region surrounding a data point admits any adversarial example.Robustness certification,the functionality of verifying whether the given region surrounding a data point admits any adversarial example,provides guaranteed security for deep neural networks deployed in adversarial environments.Within the certified robustness bound,any possible perturbation would not impact the prediction of a deep neural network.A large number of researchers have conducted in-depth research on the model robustness certification from the perspective of complete and incomplete,and proposed a series of certification methods.These methods can be generally categorized as exact certification methods and relaxed certification methods.Exact certification methods are mostly based on satisfiability modulo theories or mixed-integer linear program solvers.Though these methods are able to certify the exact robustness bound,they are usually computationally expensive.Hence,it is difficult to scale them even to medium size networks.Relaxed certification methods include the convex polytope methods,reachability analysis methods,and abstract interpretation methods,etc.These methods are usually efficient but cannot provide precise robustness bounds as exact certification methods do.Nevertheless,considering the expensive computational cost,relaxed certification methods are shown to be more promising in practical applications,especially for large networks.In this survey,we review the current challenges of model robustness certification problem,systematically and scientifically summarize existing research work,and clarify the advantages and disadvantages of current research.Finally,we explore future research directions of model robustness certification research.