Form OUS2 Undergraduate Research and Innovation Scheme (URIS) Research Proposal Form [To be filled out by the Applicant and not to exceed four A4 pages (single-line spaced)] NOTES TO APPLICANTS 1. The components of this proposal template can be revised and finalised with the project supervisor according to the project nature. 2. Delete “Purpose” and “Tips” under each section when submitting this form. Student Name: LI Yiquan Dept: COMP Name of Proposed Chief Supervisor: Bin Xiao Dept: COMP Name of Proposed Co-supervisor (if any): Dept: 1. Project Title Adversarial robustness in Model-Agnostic Meta-Learning 2. Project Objectives Meta-Learning is a newly proposed method in Artificial Intelligence (AI) to make the machine to study the process of learning, which is considered as the key to achieve artificial intelligence. Model-Agnostic Meta-Learning (MAML) [1] is one of the Meta-Learning algorithms. In my research, I will focus on studying the adversarial robustness in MAML to make Meta-learning be more reliable in real physical application. Figure 1. the objectives of this research proposal My research has three main objectives. First, I intend to assess the how the Meta-Learning algorithm MAML behaves within the attack of the adversarial examples. Many learning models do not have the strong robustness when the learning samples are contaminated, making it highly risky to apply them into the reality. I will try to assess the behavior of Meta-Learning model when being attacked by adversarial examples. Second, I will try to evaluate the impact of the adversarial training applied to MAML and judge whether it is a significate method to improve the robustness of Meta-Learning. Adversarial training has become successful in many cases as a kind of defense method, so I try to analyze the feasibility of the adversarial training in MAML. Form OUS2 Last, I will focus on making some improvements in MAML to enhance the robustness or come up with a more robust Meta-Learning algorithm. According to Goodfellow [2], the linear nature of the network will lead to the vulnerability to the adversarial perturbation. I intend to enhance MAML algorithm based on its linear nature and I will attempt to optimize the process of MAML, or propose another Meta-Learning algorithm which can be more adaptive to the adversarial examples. 3. Background Deep Learning uses Deep Neural Network to mimicking the activities of human neurons, and can make the computer think like human-beings. Deep Learning method can be applied in various aspects such as natural language processing, computer vision and game theory. As Deep Learning has become a widely-used technology to deal with Machine Learning issues, researchers discover that the current Deep Learning algorithm is facing serious security threats: The Deep Learning model can be easily fooled by the adversaries using perturbing benign samples [3]. An imperceptible perturbation can lead to a wrong anticipation in the model. This process is called adversarial example, which is considered as one of the mainly difficulties when building the Deep Learning model. Solving the problem has great practical significance: issues happened in the self-driving automobiles might result in severe consequence, such as recognize the red light as the green light on the street. To address the problem, the researchers have conceived different attack models to train the existing Deep Learning model. The present adversarial attacks can be classified into 3 categories: white-box, gray-box and black-box attacks. In white-box attack, it is assumed that the attackers fully understand their target model. In gray-box attack, the attackers know the structure of the target model. And the attackers can only know the output of the model in black-box attack. The researchers have proposed numeric attack algorithms, such as the fast gradient sign method (FGSM) [2], projected gradient descent (PGD) [4], Carlini and Wagner attacks (C&W) [5] and DeepFool [6]. These attack methods are designed in the white-box attack, but there are also evidences that they are efficient in black and gray box. In order to deal with the adversarial example, diverse defensive techniques are put forward, which are categorized into heuristic defense and certificated defense. In heuristic defense, the researchers assess the defensibility of their model through experiments, without specific theoretical support. The heuristic defense can be realized by adding adversarial examples into the training section to enhance the robustness of the model, the process is called adversarial training. There are two steps to generate the adversarial examples: Direction Sensitivity Estimation and Perturbation Selection [7]. By using FGSM, the sensitivity information can be obtained by calculating the gradient of the cost function according to the input of the neural network [2]. In Perturbation Selection step, the attacker can select the dimension according to the sensitivity information in the first step to add perturbation to generate the adversarial examples. The adversarial perturbation can be represented as follows: η = ε sign (x J (θ, x, y)) (1) Nevertheless, the defensibility in heuristic defense does not have theoretical proof, means that the heuristic defense might be breached by the new attacks in the future. The certificated defense calculates the minimum accuracy of the model by specific algorithm. However, the research Form OUS2 shows that the existing certificated defense methods do not perform as well as the adversarial training. Meta-Learning is currently a hot topic which aims to solve the problem that the traditional neural network model requires a large number of training data and iterative steps and cannot share the experience gained from different types. Meta-Learning holds the idea that the human-beings can adapt to the new task rapidly when given essential knowledge. For example, people can quickly learn how to classify a new kind of photos. The purpose of the Meta-Learning is to build a machine model that is capable of learning, though with only a small quantity of sample data. MAML is a widely-used Meta-Learning algorithm proposed by Chelsea Finn [1]. MAML uses a small amount of data to find an appropriate initial value range, making the model quickly fitted on a limited data set. The optimization of the MAML process is dived into two layers. The inner loop contains T training sets with the current parameter θ. On the basis of θ, each task carries out an independent gradient update, and obtains the optimized results of the T tasks, denoting as θ1, θ 2…θT. In higher dimensional space, it can be represented by the image of a point in the graph. The θi here is the optimal solution for Ti. The outer loop makes another learning process based on the test data and the parameter θi in the inner loop. This process can get the θ which minimize the loss of the test set on T tasks, and the θ is the optimal solution applicable to all tasks. Figure 2. graph of the Model-Agnostic Meta-Learning (MAML) [1] Since Meta-learning has garnered particular attention recently, researchers notice that the current Meta-Learning algorithm may not perform well under the attack of the adversarial examples. In my research, I will try to figure out a sufficient methodology to deal with the condition with limited and contaminated samples [8]. The problem is common the real world, for example, the photographs may be polluted by the unexpected bad weather like mist and rain. Enhancing the robustness of the Meta-Learning can help for the further application of this learning concept in the real world. 4. Project Plan To assess the behavior of MAML under the attack of the adversarial examples, I intend to use FGSM algorithm to generate the adversarial examples and see the accuracy of the distribution in MAML. The study data will be based on CIFAR-10 and MiniImageNet data set to evaluate the robustness of MAML. MiniImageNet includes 100 classes with 600 samples, which is suitable for few-shot learning. CIFAR-10 also contains 100 classes with 600 samples and was initially made for object recognition. Other attack algorithms will also be used to test the robustness of MAML such as PGD [4] and C&W [5]. I will give out the classification error rate in the clean examples and mixed examples containing both clean and adversarial samples. Form OUS2 To evaluate the robustness of MAML within adversarial training, I will again use FSGM to generate adversarial examples and add these examples into the clean data as my training set in the model. After training I will use multiple attacking method to evaluate the training outcome. The third program plan is to enhance the robustness of MAML, which may consume much more time than the last two steps. There are two main ways to build defense: one way is adjusting the learning method to defense the attack of the adversarial examples, another way is strengthening the detection against the contaminated samples. I will attempt three methods to optimize the robustness of the model. First, find a way to add new examples or continually change the training process when learning. The second idea is to improve the learning network to increase the robustness. The third plan is making an attached learning network based on the original model when the potential adversarial examples are detected. The first two program can be completed within two or three months. The third program is expected to be finished in 1 year to fully evaluate which proposal can be most effective to enhance the robustness of Meta-Learning. Here is the schedule table: DATE 2021.5.152021.6.15 SCHEDULE Get familiar with the attack algorithm FGSM, PGD, C&W and DeepFool and read related papers 2021.6.162021.7.15 Test the robustness of MAML by diverse attacking algorithms 2021.7.162021.8.31 Use adversarial training to enhance the defensive capability of MAML towards adversarial examples 2021.9.12021.11.1 Attempt to add new training data in the learning model to improve the robustness of MAML 2021.11.22022.1.1 2022.1.22022.3.1 2022.3.2- Attempt to improve the original learning network of MAML Attempt to use attached new network to improve the robustness of MAML Evaluate the 3 attempts and try to find a more robust Meta-Learning algorithm Form OUS2 5. References [1] Finn, Chelsea, Abbeel, Pieter, and Levine, Sergey, “Model-Agnostic Meta-Learning for Fast Adaptation of Deep Networks,” 2017. [2] Goodfellow, Ian J, Shlens, Jonathon, and Szegedy, Christian, “Explaining and Harnessing Adversarial Examples,” 2014. [3] Ren, Kui, Zheng, Tianhang, Qin, Zhan, and Liu, Xue, “Adversarial Attacks and Defenses in Deep Learning,” Engineering (Beijing, China), vol. 6, no. 3, pp. 346–360, 2020, doi: 10.1016/j.eng.2019.12.012. [4] Madry, Aleksander, Makelov, Aleksandar, Schmidt, Ludwig, Tsipras, Dimitris, and Vladu, Adrian, “Towards Deep Learning Models Resistant to Adversarial Attacks,” 2017. [5] Carlini, Nicholas and Wagner, David, “Towards Evaluating the Robustness of Neural Networks,” 2016. [6] Moosavi-Dezfooli, Seyed-Mohsen, Fawzi, Alhussein, and Frossard, Pascal, “DeepFool: A Simple and Accurate Method to Fool Deep Neural Networks,” in 2016 IEEE Conference on Computer Vision and Pattern Recognition (CVPR), 2016, vol. 2016, pp. 2574–2582, doi: 10.1109/CVPR.2016.282. [7] Papernot, Nicolas, McDaniel, Patrick, Wu, Xi, Jha, Somesh, and Swami, Ananthram, “Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks,” 2015. [8] Yin, Chengxiang, Tang, Jian, Xu, Zhiyuan, and Wang, Yanzhi, “Adversarial MetaLearning,” 2018.