Defesa de Dissertação de Mestrado – João Gabriel Zago – 5/4/2021

25/03/2021 22:26
Defesa de Dissertação de Mestrado
Aluno João Gabriel Zago



Prof. Fábio Luis Baldissera, Dr. – DAS/UFSC

Prof. Eric Aislan Antonelo, Dr. – DAS/UFSC

Prof. Rodrigo Saad, Dr. – PPGEAS/UFSC

Data 5/4/2021 (segunda-feira) – 14h

Videoconferência (

Banca Prof. Fábio Luis Baldissera, Dr. – DAS/UFSC (presidente);

Prof. Maurício Fernandes Figueiredo, Dr. – DC/UFSCar;

Prof. Jomi Fred Hübner, Dr. – DAS/UFSC;

Prof. Marcelo Ricardo Stemmer, Dr. – DAS/UFSC.

Título Defense Methods for Convolutional Neural Networks Against Adversarial Attacks
Abstract: Despite its success in image classification, Convolutional Neural Networks (CNNs) arestill fragile to small perturbations in the input images they have to classify: slight changes in the values of some pixels might result in completely different network outputs. Suchimages purposefully perturbed to deceive a classifier are known as adversarial images.This vulnerability of CNNs to adversarial images raises concerns in safety-sensitive ap-plications: involving life-threatening, environmental, or financial implications. This thesis proposed two computationally cheap and complementary methods to help circumvent and alleviate this fragility of CNNs: a) a novel strategy that reduces the success of ad-versarial attacks by obfuscating the softmax output, which does not require any network training; and b) a method that employs Benford’s Law for distinguishing natural images from adversarial ones at the pixel level, providing an extra shield acting at the input layer of vulnerable CNNs. The defense we developed in (a) not only decreases the attack success rate but also forces the attack algorithm to insert larger perturbations in the input images. The study conducted in (b) indicates that: 1) adversarial images tend to deviate significantly more from Benford’s distribution than unaltered images;2) this deviation increases with the magnitude of the perturbation; 3) in some cases,it is possible to identify ongoing attacks by online monitoring this deviation, making it possible to turn off the classifier for the particular requester before it completes an attack. Finally, these two methods are orthogonal in that we expect the CNN classifier to get better protection against attacks while using them simultaneously.