| dc.contributor.advisor | Duane S. Boning. | en_US |
| dc.contributor.author | Chen, Hongge,Ph. D.Massachusetts Institute of Technology. | en_US |
| dc.contributor.other | Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science. | en_US |
| dc.date.accessioned | 2021-05-24T20:23:06Z | |
| dc.date.available | 2021-05-24T20:23:06Z | |
| dc.date.copyright | 2021 | en_US |
| dc.date.issued | 2021 | en_US |
| dc.identifier.uri | https://hdl.handle.net/1721.1/130760 | |
| dc.description | Thesis: Ph. D., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, February, 2021 | en_US |
| dc.description | Cataloged from the official PDF of thesis. | en_US |
| dc.description | Includes bibliographical references (pages 109-124). | en_US |
| dc.description.abstract | Recent studies have demonstrated that machine learning models are vulnerable to adversarial perturbations - a small and human-imperceptible input perturbation can easily change the model output completely. This has created serious security threats to many real applications, so it becomes important to formally verify the robustness of machine learning models. This thesis studies the robustness of deep neural networks as well as tree-based models, and considers the applications of robust machine learning models in deep reinforcement learning. We first develop a novel algorithm to learn robust trees. Our method aims to optimize the performance under the worst case perturbation of input features, which leads to a max-min saddle point problem when splitting nodes in trees. | en_US |
| dc.description.abstract | We propose efficient tree building algorithms by approximating the inner minimizer in this saddle point problem, and present efficient implementations for classical information gain based trees as well as state-of-the-art tree boosting models such as XGBoost. Experiments show that our method improve the model robustness significantly. We also propose an efficient method to verify the robustness of tree ensembles. We cast the tree ensembles verification problem as a max-clique problem on a multipartite graph. We develop an efficient multi-level verification algorithm that can give tight lower bounds on robustness of decision tree ensembles, while allowing iterative improvement and termination at any-time. | en_US |
| dc.description.abstract | On random forest or gradient boosted decision trees models trained on various datasets, our algorithm is up to hundreds of times faster than the previous approach that requires solving a mixed integer linear programming, and is able to give tight robustness verification bounds on large ensembles with hundreds of deep trees. For neural networks, we contribute a number of empirical studies on the practicality and the hardness of adversarial training. We show that even with adversarial defense, a model's robustness on a test example has a strong correlation with the distance between that example and the manifold of training data embedded by the network. Test examples that are relatively far away from this manifold are more likely to be vulnerable to adversarial attacks. | en_US |
| dc.description.abstract | Consequentially, we demonstrate that an adversarial training based defense is vulnerable to a new class of attacks, the "blind-spot attack," where the input examples reside in low density regions ("blind-spots") of the empirical distribution of training data but are still on the valid ground-truth data manifold. Finally, we apply neural network robust training methods to deep reinforcement learning (DRL) to train agents that are robust against perturbations on state observations. We propose the state-adversarial Markov decision process (SA-MDP) to study the fundamental properties of this problem, and propose a theoretically principled regularization which can be applied to different DRL algorithms, including deep Q networks (DQN) and proximal policy optimization (PPO). We significantly improve the robustness of agents under strong white box adversarial attacks, including new attacks of our own. | en_US |
| dc.description.statementofresponsibility | by Hongge Chen. | en_US |
| dc.format.extent | 172 pages | en_US |
| dc.language.iso | eng | en_US |
| dc.publisher | Massachusetts Institute of Technology | en_US |
| dc.rights | MIT theses may be protected by copyright. Please reuse MIT thesis content according to the MIT Libraries Permissions Policy, which is available through the URL provided. | en_US |
| dc.rights.uri | http://dspace.mit.edu/handle/1721.1/7582 | en_US |
| dc.subject | Electrical Engineering and Computer Science. | en_US |
| dc.title | Robust machine learning models and their applications | en_US |
| dc.type | Thesis | en_US |
| dc.description.degree | Ph. D. | en_US |
| dc.contributor.department | Massachusetts Institute of Technology. Department of Electrical Engineering and Computer Science | en_US |
| dc.identifier.oclc | 1252059420 | en_US |
| dc.description.collection | Ph.D. Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science | en_US |
| dspace.imported | 2021-05-24T20:23:06Z | en_US |
| mit.thesis.degree | Doctoral | en_US |
| mit.thesis.department | EECS | en_US |
