Form OUS2
Undergraduate Research and Innovation Scheme (URIS)
Research Proposal Form
[To be filled out by the Applicant and not to exceed four A4 pages (single-line spaced)]
NOTES TO APPLICANTS
1. The components of this proposal template can be revised and finalised with the project
supervisor according to the project nature.
2. Delete “Purpose” and “Tips” under each section when submitting this form.
Student Name: LI Yiquan
Dept: COMP
Name of Proposed Chief Supervisor: Bin
Xiao
Dept: COMP
Name of Proposed Co-supervisor (if any):
Dept:
1. Project Title
Adversarial robustness in Model-Agnostic Meta-Learning
2. Project Objectives
Meta-Learning is a newly proposed method in Artificial Intelligence (AI) to make the machine to
study the process of learning, which is considered as the key to achieve artificial intelligence.
Model-Agnostic Meta-Learning (MAML) [1] is one of the Meta-Learning algorithms. In my
research, I will focus on studying the adversarial robustness in MAML to make Meta-learning be
more reliable in real physical application.
Figure 1. the objectives of this research proposal
My research has three main objectives. First, I intend to assess the how the Meta-Learning
algorithm MAML behaves within the attack of the adversarial examples. Many learning models
do not have the strong robustness when the learning samples are contaminated, making it highly
risky to apply them into the reality. I will try to assess the behavior of Meta-Learning model when
being attacked by adversarial examples.
Second, I will try to evaluate the impact of the adversarial training applied to MAML and judge
whether it is a significate method to improve the robustness of Meta-Learning. Adversarial
training has become successful in many cases as a kind of defense method, so I try to analyze the
feasibility of the adversarial training in MAML.
Form OUS2
Last, I will focus on making some improvements in MAML to enhance the robustness or come up
with a more robust Meta-Learning algorithm. According to Goodfellow [2], the linear nature of
the network will lead to the vulnerability to the adversarial perturbation. I intend to enhance
MAML algorithm based on its linear nature and I will attempt to optimize the process of MAML,
or propose another Meta-Learning algorithm which can be more adaptive to the adversarial
examples.
3. Background
Deep Learning uses Deep Neural Network to mimicking the activities of human neurons, and can
make the computer think like human-beings. Deep Learning method can be applied in various
aspects such as natural language processing, computer vision and game theory.
As Deep Learning has become a widely-used technology to deal with Machine Learning issues,
researchers discover that the current Deep Learning algorithm is facing serious security threats:
The Deep Learning model can be easily fooled by the adversaries using perturbing benign samples
[3]. An imperceptible perturbation can lead to a wrong anticipation in the model. This process is
called adversarial example, which is considered as one of the mainly difficulties when building the
Deep Learning model. Solving the problem has great practical significance: issues happened in the
self-driving automobiles might result in severe consequence, such as recognize the red light as the
green light on the street.
To address the problem, the researchers have conceived different attack models to train the
existing Deep Learning model. The present adversarial attacks can be classified into 3 categories:
white-box, gray-box and black-box attacks. In white-box attack, it is assumed that the attackers
fully understand their target model. In gray-box attack, the attackers know the structure of the
target model. And the attackers can only know the output of the model in black-box attack. The
researchers have proposed numeric attack algorithms, such as the fast gradient sign method
(FGSM) [2], projected gradient descent (PGD) [4], Carlini and Wagner attacks (C&W) [5] and
DeepFool [6]. These attack methods are designed in the white-box attack, but there are also
evidences that they are efficient in black and gray box.
In order to deal with the adversarial example, diverse defensive techniques are put forward, which
are categorized into heuristic defense and certificated defense. In heuristic defense, the researchers
assess the defensibility of their model through experiments, without specific theoretical support.
The heuristic defense can be realized by adding adversarial examples into the training section to
enhance the robustness of the model, the process is called adversarial training. There are two steps
to generate the adversarial examples: Direction Sensitivity Estimation and Perturbation Selection
[7]. By using FGSM, the sensitivity information can be obtained by calculating the gradient of the
cost function according to the input of the neural network [2]. In Perturbation Selection step, the
attacker can select the dimension according to the sensitivity information in the first step to add
perturbation to generate the adversarial examples. The adversarial perturbation can be represented
as follows:
η = ε sign (x J (θ, x, y))
(1)
Nevertheless, the defensibility in heuristic defense does not have theoretical proof, means that the
heuristic defense might be breached by the new attacks in the future. The certificated defense
calculates the minimum accuracy of the model by specific algorithm. However, the research
Form OUS2
shows that the existing certificated defense methods do not perform as well as the adversarial
training.
Meta-Learning is currently a hot topic which aims to solve the problem that the traditional neural
network model requires a large number of training data and iterative steps and cannot share the
experience gained from different types. Meta-Learning holds the idea that the human-beings can
adapt to the new task rapidly when given essential knowledge. For example, people can quickly
learn how to classify a new kind of photos. The purpose of the Meta-Learning is to build a
machine model that is capable of learning, though with only a small quantity of sample data.
MAML is a widely-used Meta-Learning algorithm proposed by Chelsea Finn [1]. MAML uses a
small amount of data to find an appropriate initial value range, making the model quickly fitted on
a limited data set. The optimization of the MAML process is dived into two layers. The inner loop
contains T training sets with the current parameter θ. On the basis of θ, each task carries out an
independent gradient update, and obtains the optimized results of the T tasks, denoting as θ1, θ
2…θT. In higher dimensional space, it can be represented by the image of a point in the graph.
The θi here is the optimal solution for Ti. The outer loop makes another learning process based on
the test data and the parameter θi in the inner loop. This process can get the θ which minimize the
loss of the test set on T tasks, and the θ is the optimal solution applicable to all tasks.
Figure 2. graph of the Model-Agnostic Meta-Learning (MAML) [1]
Since Meta-learning has garnered particular attention recently, researchers notice that the current
Meta-Learning algorithm may not perform well under the attack of the adversarial examples. In
my research, I will try to figure out a sufficient methodology to deal with the condition with
limited and contaminated samples [8]. The problem is common the real world, for example, the
photographs may be polluted by the unexpected bad weather like mist and rain. Enhancing the
robustness of the Meta-Learning can help for the further application of this learning concept in the
real world.
4. Project Plan
To assess the behavior of MAML under the attack of the adversarial examples, I intend to use
FGSM algorithm to generate the adversarial examples and see the accuracy of the distribution in
MAML. The study data will be based on CIFAR-10 and MiniImageNet data set to evaluate the
robustness of MAML. MiniImageNet includes 100 classes with 600 samples, which is suitable for
few-shot learning. CIFAR-10 also contains 100 classes with 600 samples and was initially made
for object recognition. Other attack algorithms will also be used to test the robustness of MAML
such as PGD [4] and C&W [5]. I will give out the classification error rate in the clean examples
and mixed examples containing both clean and adversarial samples.
Form OUS2
To evaluate the robustness of MAML within adversarial training, I will again use FSGM
to generate adversarial examples and add these examples into the clean data as my training
set in the model. After training I will use multiple attacking method to evaluate the training
outcome.
The third program plan is to enhance the robustness of MAML, which may consume much
more time than the last two steps. There are two main ways to build defense: one way is
adjusting the learning method to defense the attack of the adversarial examples, another
way is strengthening the detection against the contaminated samples. I will attempt three
methods to optimize the robustness of the model. First, find a way to add new examples or
continually change the training process when learning. The second idea is to improve the
learning network to increase the robustness. The third plan is making an attached learning
network based on the original model when the potential adversarial examples are detected.
The first two program can be completed within two or three months. The third program is
expected to be finished in 1 year to fully evaluate which proposal can be most effective to
enhance the robustness of Meta-Learning. Here is the schedule table:
DATE
2021.5.152021.6.15
SCHEDULE
Get familiar with the attack algorithm FGSM, PGD, C&W and DeepFool
and read related papers
2021.6.162021.7.15
Test the robustness of MAML by diverse attacking algorithms
2021.7.162021.8.31
Use adversarial training to enhance the defensive capability of MAML
towards adversarial examples
2021.9.12021.11.1
Attempt to add new training data in the learning model to improve the
robustness of MAML
2021.11.22022.1.1
2022.1.22022.3.1
2022.3.2-
Attempt to improve the original learning network of MAML
Attempt to use attached new network to improve the robustness of MAML
Evaluate the 3 attempts and try to find a more robust Meta-Learning
algorithm
Form OUS2
5. References
[1] Finn, Chelsea, Abbeel, Pieter, and Levine, Sergey, “Model-Agnostic Meta-Learning for Fast
Adaptation of Deep Networks,” 2017.
[2] Goodfellow, Ian J, Shlens, Jonathon, and Szegedy, Christian, “Explaining and Harnessing
Adversarial Examples,” 2014.
[3] Ren, Kui, Zheng, Tianhang, Qin, Zhan, and Liu, Xue, “Adversarial Attacks and Defenses in
Deep Learning,” Engineering (Beijing, China), vol. 6, no. 3, pp. 346–360, 2020, doi:
10.1016/j.eng.2019.12.012.
[4] Madry, Aleksander, Makelov, Aleksandar, Schmidt, Ludwig, Tsipras, Dimitris, and Vladu,
Adrian, “Towards Deep Learning Models Resistant to Adversarial Attacks,” 2017.
[5] Carlini, Nicholas and Wagner, David, “Towards Evaluating the Robustness of Neural
Networks,” 2016.
[6] Moosavi-Dezfooli, Seyed-Mohsen, Fawzi, Alhussein, and Frossard, Pascal, “DeepFool: A
Simple and Accurate Method to Fool Deep Neural Networks,” in 2016 IEEE Conference on
Computer Vision and Pattern Recognition (CVPR), 2016, vol. 2016, pp. 2574–2582, doi:
10.1109/CVPR.2016.282.
[7] Papernot, Nicolas, McDaniel, Patrick, Wu, Xi, Jha, Somesh, and Swami, Ananthram,
“Distillation as a Defense to Adversarial Perturbations against Deep Neural Networks,” 2015.
[8] Yin, Chengxiang, Tang, Jian, Xu, Zhiyuan, and Wang, Yanzhi, “Adversarial MetaLearning,” 2018.