Towards robust machine learning with graph neural networks

Thesis

In order to apply Neural Networks in safety-critical settings, such as healthcare or autonomous driving, we need to be able to analyse their robustness against adversarial attacks. These attacks perturb natural images by adding small, carefully chosen perturbations to them that are imperceptible to the human eye. Trained neural networks with high training and validation accuracy often misclassify a large number of these perturbed images. In this thesis we propose several new methods aimed at analysing the robustness of trained neural networks to adversarial attacks.

In the first part, we improve upon existing methods to generate adversarial examples more efficiently. We note that past work in this field has relied on optimization methods that ignore the inherent structure of the problem and data, or generative methods that rely purely on learning and often fail to generate adversarial examples where they are hard to find. To alleviate these deficiencies, we propose a novel stand-alone attack based on a GNN that takes advantage of the strengths of both approaches. Our GNN computes descent directions to guide an iterative procedure towards adversarial examples.

Our next contribution is inspired by the observation that many state-of-the-art adversarial attacks require many random restarts to generate adversarial examples. Each time we perform a restart we ignore all previous unsuccessful runs. In order to alleviate this deficiency, we propose a method that learns from its mistakes. Specifically, our method uses GNNs as an attention, to greatly reduce the search space for future iterations of the attacks.

For our final contribution, we note that adversarial attacks may fail, even where adversarial examples exist. We thus focus on formal complete neural network verification which returns a sound and complete proof of robustness. Recent years have witnessed the deployment of branch-and-bound (BaB) frameworks for formal verification in deep learning. The main computational bottleneck of BaB is the estimation of lower bounds. Past work in this field has relied on traditional optimization algorithms whose inefficiencies have limited their scope. To alleviate this deficiency, we propose a novel graph neural network (GNN) based approach. Our GNN aims to compute a dual solution of the convex relaxation, thereby providing a valid lower bound, which, if positive, proves robustness.

Authors: Jaeckle, F

• DOI: 10.5287/ora-9rovq4bkp
• Type of award: DPhil
• Level of award: Doctoral
• Awarding institution: University of Oxford
• Language: English
• Keywords: neural network verification; machine learning; robustness; computer vision; explainability
• Subjects: Deep learning (Machine learning)