Applications using Artificial Intelligence techniques demand a thorough assessment of different aspects of trust, namely, data and model privacy, reliability, robustness against adversarial attacks, fairness, and interpretability. While each of these aspects has been extensively studied in isolation, an understanding of the trade-offs between different aspects of trust is lacking. In this work, the trade-off between fault tolerance, privacy, and adversarial robustness is evaluated for Deep Neural Networks, by considering two adversarial settings under security and a privacy threat model. Specifically, this work studies the impact of training the model with input noise (Adversarial Robustness) and gradient noise (Differential Privacy) on Neural Network’s fault tolerance. While adding noise to inputs, gradients or weights enhances fault tolerance, it is observed that adversarial robustness lowers fault tolerance due to increased overfitting. On the other hand, (εdp, δdp)-Differentially Private models enhance the fault tolerance, measured using generalisation error, which theoretically has an upper bound of eεdp - 1 + δdp. This novel study of the trade-offs between different aspects of trust is pivotal for training trustworthy Machine Learning models.
ShokriR., StrobelM. and ZickY., Privacy risks of explaining machine learning models, arXiv preprint arXiv:1907.00164, 2019.
2.
SongL., ShokriR. and MittalP., Privacy risks of securing machine learning models against adversarial examples, arXiv preprint arXiv:1905.10291, 2019.
3.
JagielskiM., KearnsM., MaoJ., OpreaA., RothA., MalvajerdiS.S. and UllmanJ., Differentially private fair learning. In Kamalika Chaudhuri and Ruslan Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning, volume 97 of Proceedings of Machine Learning Research, pages 3000–3008, Long Beach, California, USA, 09–15 Jun 2019. PMLR.
4.
EtmannC., LunzS., MaassP. and SchoenliebC., On the connection between adversarial robustness and saliency map interpretability. In Kamalika Chaudhuri and R. Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning, volume 97 of Proceedings of Machine Learning Research, pages 1823–1832, Long Beach, California, USA, 09–15 Jun 2019. PMLR.
5.
DudduV., RaoD.V. and BalasV.E., Adversarial fault tolerant training for deep neural networks, arXiv preprint arXiv:1907.03103, 2019.
6.
DeyP., NagK., PalT. and Pal.N.R., Regularizing multilayer perceptron for robustness,–Aug, IEEE Transactions on Systems, Man, and Cybernetics: Systems48(8) (1266), 2018.
7.
DeodhareD., VidyasagarM. and KeethiS.S., Synthesis of fault-tolerant feedforward neural networks using minimax optimization, IEEE Transactions on Neural Networks9(5) (1998), 891–900.
8.
NetiC., SchneiderM.H. and YoungE.D., Maximally fault tolerant neural networks, IEEE Transactions on Neural Networks3(1) (1992), 14–23.
9.
BishopC.M., Training with noise is equivalent to tikhonov regularization, Neural Comput7(1) (1995), 108–116.
10.
GanjuK., WangQ., YangW., GunterC.A. and BorisovN., Property inference attacks on fully connected neural networks using permutation invariant representations. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, pages 619–633, New York, NY, USA, 2018. ACM.
11.
ShokriR., StronatiM., SongC. and ShmatikovV., Membership inference attacks against machine learning models. In 2017 IEEE Symposium on Security and Privacy (SP), pages 3–18, May 2017.
12.
SalemA., ZhangY., HumbertM., FritzM. and BackesM., Ml-leaks: Model and data independent membership inference attacks and defenses on machine learning models. In Annual Network and Distributed System Security Symposium (NDSS), 2019. to appear.
13.
DworkC. and RothA., The algorithmic foundations of differential privacy, 2014.
14.
AbadiM., ChuA., GoodfellowI., McMahanH.B., MironovI., TalwarK. and ZhangL., Deep learning with differential privacy. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, CCS’16, pages 308–318, NewYork,NY, USA, 2016.ACM.
15.
BernierJ., OrtegaJ., VidalE., RojasI. and PrietoA., A quantitative study of fault tolerance, noise immunity, and generalization ability of mlps, Neural Computation12 (2001), 2941–2964.
16.
WangJ., ChangQ., ChangQ., LiuY. and PalN.R., Weight noise injection-based mlps with group lasso penalty: Asymptotic convergence and application to node pruning, IEEE Transactions on Cybernetics pages 1–19, 2018.
17.
PhatakD.S. and KorenI., Complete and partial fault tolerance of feedforward neural nets, IEEE Transactions on Neural Networks6(2) (1995), 446–456.
18.
BeiuV., RohatinoviciN.C., DăuşL. and BalasV.E., Transport reliability on axonal cytoskeleton. In 2017 14th International Conference on Engineering of Modern Electric Systems (EMES), pages 160–163, June 2017.
19.
CowellS. R., BeiuV., DăuşL. and PoulinP., On the exact reliability enhancements of small hammock networks, IEEE Access6 (2018), 25411–25426.
20.
JinC. and JinS.-W., Applications of fuzzy integrals for predicting software fault-prone, J Intell Fuzzy Syst26(2) (2014), 721–729.
21.
DudduV., A survey of adversarial machine learning in cyber warfare, Defence Science Journal68(4) (2018), 356–366.
22.
MadryA., MakelovA., SchmidtL., TsiprasD. and VladuA., Towards deep learning models resistant to adversarial attacks. In International Conference on Learning Representations, 2018.
23.
ZhangH., YuY., JiaoJ., XingE., GhaouiL.E. and JordanM., Theoretically principled trade-off between robustness and accuracy. In Kamalika Chaudhuri and Ruslan Salakhutdinov, editors, Proceedings of the 36th International Conference on Machine Learning, volume 97 of Proceedings of Machine Learning Research, pages 7472–7482, Long Beach, California, USA, 09–15 Jun 2019. PMLR.
24.
SinhaA., NamkoongH. and DuchiJ., Certifiable distributional robustness with principled adversarial training. In International Conference on Learning Representations, 2018.
25.
MirmanM., GehrT. and VechevM., Differentiable abstract interpretation for provably robust neural networks. In Jennifer Dy and Andreas Krause, editors, Proceedings of the 35th International Conference on Machine Learning, volume 80 of Proceedings of Machine Learning Research, pages 3578–3586, Stockholm smässan, Stockholm Sweden, 10–15 Jul 2018. PMLR.
26.
DworkC., Differential privacy: A survey of results. In Manindra Agrawal, Dingzhu Du, Zhenhua Duan, and Angsheng Li, editors, Theory and Applications of Models of Computation, pages 1–19, Berlin, Heidelberg, 2008. Springer, Berlin Heidelberg.
27.
MironovI., Rényi differential privacy. In 2017 IEEE 30th Computer Security Foundations Symposium (CSF), pages 263–275, Aug 2017.
28.
FredriksonM., JhaS. and RistenpartT., Model inversion attacks that exploit confidence information and basic countermeasures. In Proceedings of the 22Nd ACM SIGSAC Conference on Computer and Communications Security, CCS ’15, pages 1322–1333, New York, NY, USA, 2015. ACM.
29.
SalemA., BhattacharyyaA., BackesM., FritzM. and ZhangY., Updates-leak: Data set inference and reconstruction attacks in online learning. CoRR, abs/1904.01067, 2019.
30.
CarliniN., LiuC., ErlingssonÚ., KosJ. and SongD., The secret sharer: Evaluating and testing unintended memorization in neural networks. In 28th USENIX Security Symposium (USENIX Security 19), pages 267–284, Santa Clara, CA, August 2019. USENIX Association.
31.
JayaramanB. and EvansD., Evaluating differentially private machine learning in practice. In 28th USENIX Security Symposium(USENIX Security 19), pages 1895–1912, Santa Clara, CA, August 2019. USENIX Association.
32.
NasrM., ShokriR. and HoumansadrA., Machine learning with membership privacy using adversarial regularization. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS ’18, pages 634–646, New York, NY, USA, 2018. ACM.
33.
JiaJ., SalemA., BackesM., ZhangY. and GongN.Z., Memguard: Defending against blackbox membership inference attacks via adversarial examples. arXiv preprint arXiv:1909.10594, 2019.
34.
PapernotN., SongS., MironovI., RaghunathanA., TalwarK. and ErlingssonU., Scalable private learning with PATE. In International Conference on Learning Representations, 2018.
35.
HoK.I., LeungC. and SumJ., Convergence and objective functions of some fault/noise-injection-based online learning algorithms for rbf networks, IEEE Transactions on Neural Networks21(6) (2010), 938–947.
36.
HolmstromL. and KoistinenP., Using additive noise in backpropagation training, IEEE Transactions on Neural Networks3(1) (1992), 24–38.
37.
MatsuokaK., Noise injection into inputs in back-propagation learning, IEEE Transactions on Systems, Man, and Cybernetics22(3) (1992), 436–440.
38.
WangY.-X., LeiJ. and FienbergS.E., Learning with differential privacy: Stability, learnability and the sufficiency and necessity of erm principle, Journal of Machine Learning Research17(183) (2016), 1–40.
