Towards robustifying deep neural networks against adversarial, fringe and distorted examples

Abstract

Recently Deep Neural Network (DNN) models have shown remarkable successes on several tasks including classification, domain translation etc. However, those methods typically do not perform well on samples lying on relatively low-density areas of the data distribution, where the model was not well trained. In this thesis, we analyze the effect of different types of noise on the predictions of different DNN-based applications. In particular, for classification based models, we propose a generalized framework for crafting adversarial examples in a blackbox attack setting. As defense against such adversarial examples, we propose a novel algorithm called MALADE, which drives the given off-manifold input towards the high density regions of the data generating distribution with intrinsic knowledge of the perceptual decision boundary during inference. For domain translation based models, we propose to drive the unsuccessful fringe examples towards the data manifold by cooling the input test distribution using Langevin dynamics. We demonstrate qualitatively and quantitatively that our strategy enhances the robustness of state-of-the-art methods for classification as well as for domain translation tasks. Taking medical imaging as an exemplar use-case of DNN-based classification, we evaluate the robustness of pretraining and self-supervision strategies to input distortions and bias.