Improving classifier robustness

Thumbnail Image

Files

isbn9789526428062.pdf (518.84 KB)

URL

Journal Title

Journal ISSN

Volume Title

School of Science | Doctoral thesis (article-based) | Defence date: 2025-11-03
Unless otherwise stated, all rights belong to the author. You may download, display and print this publication for Your own personal use. Commercial use is prohibited.

Authors

Date

2025

Department

Tietotekniikan laitos
Department of Computer Science

Major/Subject

Mcode

Degree programme

Language

en

Pages

92 + app. 61

Series

Aalto University publication series DOCTORAL THESES, 217/2025

Abstract

Machine learning classifiers are the state-of-the-art in classification and increasingly deployed in domains where safety and security are critical. Such domains include banking, autonomous driving, malware detection, and cancer detection. Unlike humans, machine learning classifiers can be easily fooled by attacks that perturb samples slightly to cause misclassifications. The use of vulnerable machine learning classifiers in domains without much room for error is concerning for those that rely on classifier outputs. In this thesis, we aim for an overarching goal of increasing machine learning classifier robustness. We investigated the use of symmetry to defend against adversarial perturbation attacks in different types of classifiers against adversaries with and without knowledge of the defense. In addition, we investigated how to increase classifier adversarial robustness and generalization by increasing classifier function smoothness, which is known to be closely related to generalization and robustness. Furthermore, we also explored the increasing of classifier generalization using regression-based features that capture mutual information among standard features. As a result, we show that adversarial perturbation attacks can be countered in neural networks using symmetry. We also show that the symmetry defense can be applied to decision trees, after showing that these trees also lack invariance with respect to symmetries. We find that additional training samples decrease adversarial robustness in decision trees, which is contrary to conventional wisdom. We explain why this happens in decision trees.

Description

Supervising professor

Ylä-Jääski, Antti, Prof., Aalto University, Department of Computer Science, Finland

Thesis advisor

Aura, Tuomas, Prof., Aalto University, Department of Computer Science, Finland

Keywords

adversarial machine learning, evasion attacks, symmetry

Other note

Parts

  • [Publication 1]: Blerta Lindqvist, "On the Adversarial Robustness of Decision Trees and a Symmetry Defense," in IEEE Access, vol. 13, pp. 16120-16132, 2025.
    Full text in Acris/Aaltodoc: https://urn.fi/URN:NBN:fi:aalto-202503192924
    DOI: 10.1109/ACCESS. 2025.3530695 View at publisher
  • [Publication 2]: Blerta Lindqvist. "Symmetry Defense Against CNN Adversarial Perturbation Attacks," in: Athanasopoulos, E., Mennink, B. (eds) Information Security. ISC 2023. Lecture Notes in Computer Science, vol 14411. Springer,Cham.
    DOI: 10.1007/978-3-031-49187-0_8 View at publisher
  • [Publication 3]: Blerta Lindqvist, "A Novel Method for Function Smoothness in Neural Networks," in IEEE Access, vol. 10, pp. 75354-75364, 2022.
    Full text in Acris/Aaltodoc: https://urn.fi/URN:NBN:fi:aalto-202209145571
    DOI: 10.1109/ACCESS.2022.3189363 View at publisher
  • [Publication 4]: Rauf Izmailov, Blerta Lindqvist and Peter Lin, "Feature Selection in Learning Using Privileged Information," 2017 IEEE International Conference on Data Mining Workshops (ICDMW), New Orleans, LA, USA, 2017, pp. 957-963.
    DOI: 10.1109/ICDMW.2017.131 View at publisher

Citation

Permanent link to this item

https://urn.fi/URN:ISBN:978-952-64-2806-2

Collections

[diss] Perustieteiden korkeakoulu / SCI