Abstract/Summary

This PhD thesis investigates the relationship between network architectures and the robustness against adversarial attacks using a novel methodology that considers both aspects as part of the robustness analysis. Through an investigation on the adversarial targeting of neurons, specifically in the first convolutional layer of a deep neural network (DNN), we observe a relationship between neurons that affect the test accuracy of the DNN, when inferring on a clean, unperturbed dataset, subsequently characterising them as fragile, and those neurons targeted by a potential adversarial attack. We show how the fragile neurons of a DNN convolutional layer evolve over the network training procedure and propose an algorithm to show the targeting of fragile neurons by adversarial attacks. Using the developed adversarial targeting algorithm we show that adversarial attacks focus on specific components of the convolutional layer, framing the adversarial perturbations as attacks on fragile neurons. The task of analysing the robustness of DNNs, thus, leads us to the identification of fragile and non-fragile network parameters, where non-fragile refers to any parameters that do not degrade the performance when subjected to perturbations, as opposed to fragile parameters that do degrade network performance. When discussing perturbations, we consider both variations to the network parameters and the input dataset, in the form of adversarial attacks. We further extend the analysis to characterise the parameters of deep neural networks as either fragile, robust, or antifragile, and show that network accuracy is impacted negatively, invariantly, or positively w.r.t. defined global and local robustness scores that are computed using a baseline network performance. We design a signal processing technique in the form of synaptic filters that identify the fragility, robustness and antifragility characteristics of deep neural network parameters. We subject a network to synaptic filters and compare the network responses for both clean and adversarial datasets, subsequently exposing parameters targeted by the adversary. Our results identify the structural fragility of network architectures and show how they evolve over the training process, thus informing us on the learning landscapes of DNNs. We find that, for a given network architecture, global and local filtering responses have invariant features to different datasets over the learning landscape. Vice-versa, for a given dataset we identify invariant features across different network architectures. Our proposed analysis of fragility, robustness and antifragility of deep neural networks is useful for designing compact networks by removing particularly the antifragile parameters. We improve the adversarial robustness of networks using a selective backpropagation method that, upon identification of parameter characterisations, retrains only the robust and antifrgaile parameter updates, whilst omitting the fragile parameter updates during the training procedure. Following this, we develop DNNs for two novel, real-world applications; a DNN designed to identify the the optimum denoising filter for noisy ECG waveforms, and DNNs designed to classify human activities and motion intensities from signals measured using an ultra wide-band radar system. We use original datasets for both tasks and develop novel DNN architectures for the classification tasks. Subsequently, we apply the developed selective backpropagation method to train the custom-designed DNNs and observed an increase in adversarial robustness for the DNNs evaluated. Furthermore, for both the signal denoising filter selection and activity classification tasks, we discern an improvement in the test accuracy when applied to the clean, unperturbed dataset. We successfully show that the proposed selective backpropagation method is capable of improving the adversarial robustness of networks, and in certain instances, also the regular test accuracy. Supporting results for these findings are presented across the chapters of this thesis.