Umeå University's logo

umu.sePublications
EnglishSvenskaNorsk
Change search
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
A cost-aware approach to adversarial robustness in neural networks
Umeå University, Faculty of Science and Technology, Department of Computing Science. (Autonomous Distributed Systems Laboratory)ORCID iD: 0000-0002-1277-9811
Umeå University, Faculty of Science and Technology, Department of Computing Science. Elastisys AB, Sweden. (Autonomous Distributed Systems Laboratory)ORCID iD: 0000-0002-0751-9695
Umeå University, Faculty of Science and Technology, Department of Computing Science. Elastisys AB, Sweden.ORCID iD: 0000-0002-2633-6798
Umeå University, Faculty of Science and Technology, Department of Computing Science.ORCID iD: 0000-0001-7119-7646
(English)Manuscript (preprint) (Other academic)
Abstract [en]

Considering the growing prominence of production-level AI and the threat of adversarial attacks that can evade a model at run-time, evaluating the robustness of models to these evasion attacks is of critical importance.Additionally, testing model changes likely means deploying the models to (e.g., a car or a medical imaging device), or a drone to see how it affects performance, making un-tested changes a public problem that reduces development speed, increases cost of development, and makes it difficult (if not impossible) to parse cause from effect.In this work, we used survival analysis as a cloud-native, time-efficient and precise method for predicting model performance in the presence of adversarial noise.For neural networks in particular, the relationships between the learning rate, batch size, training time, convergence time, and deployment cost are highly complex, so researchers generally rely on benchmark datasets to assess the ability of a model to generalize beyond the training data. However, in practice, this means that each model configuration needs to be evaluated against real-world deployment samples which can be prohibitively expensive or time-consuming to collect --- especially when other parts of the software or hardware stack are developed in parallel. To address this, we propose using accelerated failure time models to measure the effect of hardware choice, batch size, number of epochs, and test-set accuracy by using adversarial attacks to induce failures on a reference model architecture before deploying the model to the real world. We evaluate several GPU types and use the Tree Parzen Estimator to maximize model robustness and minimize model run-time simultaneously. This provides a way to evaluate the model and optimise it in a single step, while simultaneously allowing us to model the effect of model parameters on training time, prediction time, and accuracy. Using this technique, we demonstrate that newer, more-powerful hardware does decrease the training time, but with a monetary and power cost that far outpaces the marginal gains in accuracy.
Keywords [en]
artificial intelligence, machine learning, adversarial AI, optimisation, compliance
National Category
Computer Sciences
Research subject
Computer Science; Mathematical Statistics
Identifiers
URN: urn:nbn:se:umu:diva-238922OAI: oai:DiVA.org:umu-238922DiVA, id: diva2:1958872
Funder
Knut and Alice Wallenberg Foundation, 2019.0352Available from: 2025-05-16 Created: 2025-05-16 Last updated: 2025-05-19Bibliographically approved
In thesis
1. Trustworthy machine learning
Open this publication in new window or tab >>Trustworthy machine learning
2025 (English)Doctoral thesis, comprehensive summary (Other academic)
Alternative title[sv]
Tillförlitlig maskininlärning
Abstract [sv]

Denna avhandling studerar robusthet, integritet och reproducerbarhet i säker-hetskritisk maskininlärning, med särskild tonvikt på datorseende, avvikelse-detektering och undvikande attacker.

Arbetet inleds med att analysera de praktiska kostnaderna och fördelarna med försvarsstrategier mot attacker, vilket visar att vanliga mått på robusthet är dåliga indikatorer på verklig prestanda i attacker (Artikel I). Genom storskaliga experiment visar arbetet vidare att exempel på attacker ofta kan genereras i linjär tid, vilket ger angripare en beräkningsfördel gentemot försvar-are (Artikel II). För att hantera detta presenterar avhandlingen ett nytt mått – Training Rate and Survival Heuristic (TRASH) – för att förutsäga modellfel under attack och underlätta tidigt avvisande av sårbara arkitekturer (Artikel III). Detta mått utvidgades sedan till verkliga kostnader, vilket visar att robusthet i attacker kan förbättras med hjälp av billig hårdvara med låg precision utan att offra noggrannheten (Artikel IV).

Utöver robusthet behandlar avhandlingen integritet genom att utforma en lättviktig klientbaserad modell för spamdetektering som bevarar användardata och står emot flera klasser av attacker utan att kräva att beräkningar görs på serversidan (Artikel V). Som svar på behovet av reproducerbara och gransk-ningsbara experiment i säkerhetskritiska sammanhang presenterar avhandlingen även “deckard”, ett deklarativt programvaruramverk för distribuerade och robusta maskininlärningsexperiment (Artikel VI).

Tillsammans erbjuder dessa bidrag empiriska tekniker för att utvärdera och förbättra modellers robusthet, föreslår en integritetsbevarande klassificeringsstrategi och levererar praktiska verktyg för reproducerbara experiment. Sammantaget främjar avhandlingen målet att bygga maskininlärningssystem som inte bara är korrekta, utan också robusta, reproducerbara och pålitliga.
Abstract [en]

This thesis studies adversarial robustness, privacy, and reproducibility in safety critical machine learning systems, with particular emphasis on computer vision, anomaly detection, and evasion attacks through a series of papers. The work begins by analysing the practical costs and benefits of defence strategies against adversarial attacks, revealing that common robustness metrics are poor indicators of real-world adversarial performance (Paper I). Through large-scale experiments, it further demonstrates that adversarial examples can often be generated in linear time, granting attackers a computational advantage over defenders (Paper II). To address this, a novel metric—the Training Rate and Survival Heuristic (TRASH)—was developed to predict model failure under attack and facilitate early rejection of vulnerable architectures (Paper III). This metric was then extended to real-world cost, showing that adversarial robustness can be improved using low-cost, low-precision hardware without sacrificing accuracy (Paper IV). Beyond robustness, the thesis tackles privacy by designing a lightweight, client-side spam detection model that preserves user data and resists several classes of attacks without requiring server-side computation (Paper V). Recognizing the need for reproducible and auditable experiments in safety-critical contexts, the thesis also presents deckard, a declarative software frameworkfor distributed and robust machine learning experimentation (Paper VI). Together, these contributions offer empirical techniques for evaluating and improving model robustness, propose a privacy-preserving classification strategy, and deliver practical tooling for reproducible experimentation. Ultimately, this thesis advances the goal of building machine learning systems that are not only accurate, but also robust, reproducible, and trustworthy.
Place, publisher, year, edition, pages
Umeå, Sweden: Umeå University, 2025. p. 66
Series
Report / UMINF, ISSN 0348-0542 ; 25.10
Keywords
Machine Learning, Adversarial Machine Learning, Anomaly Detection, Computer Vision, Robustness, Artificial Intelligence, Trustworthy Machine Learning, Adversariell maskininlärning, anomalidetektering, artificiell intelligens, datorseende, maskininlärning, robusthet, tillförlitlig maskininlärning
National Category
Computer Sciences
Research subject
Computer Science
Identifiers
urn:nbn:se:umu:diva-238928 (URN)978-91-8070-722-0 (ISBN)978-91-8070-723-7 (ISBN)
Public defence
2025-06-11, UB.A.230 - Lindellhallen 3, Universitetstorget 4, Umeå, Sweden, 13:00 (English)
Opponent
Supervisors
Funder
Knut and Alice Wallenberg Foundation, 2019.035
Available from: 2025-05-21 Created: 2025-05-16 Last updated: 2025-05-19Bibliographically approved

Open Access in DiVA

No full text in DiVA

Other links

Full text in arXiv

Authority records

Meyers, CharlesSaleh Sedghpour, Mohammad RezaElmroth, ErikLöfstedt, Tommy

Search in DiVA

By author/editor
Meyers, CharlesSaleh Sedghpour, Mohammad RezaElmroth, ErikLöfstedt, Tommy
By organisation
Department of Computing Science
Computer Sciences

Search outside of DiVA

GoogleGoogle Scholar

urn-nbn

Altmetric score

urn-nbn
Total: 95 hits
CiteExportLink to record
Permanent link

Direct link
Cite
Citation style
  • apa
  • ieee
  • vancouver
  • Other style
More styles
Language
  • de-DE
  • en-GB
  • en-US
  • fi-FI
  • nn-NO
  • nn-NB
  • sv-SE
  • Other locale
More languages
Output format
  • html
  • text
  • asciidoc
  • rtf
v. 2.47.0
|
WCAG
|
Log in
|
Manuals
|
Contact the Library