1 code implementation • 18 Mar 2024 • Alexander Levine, Peter Stone, Amy Zhang
In this work, we consider the Ex-BMDP model, first proposed by Efroni et al. (2022), which formalizes control problems where observations can be factorized into an action-dependent latent state which evolves deterministically, and action-independent time-correlated noise.
no code implementations • 18 Nov 2022 • Priyatham Kattakinda, Alexander Levine, Soheil Feizi
Using the validation set, we evaluate several popular DNN image classifiers and find that the classification performance of models generally suffers on our background diverse images.
1 code implementation • 28 Aug 2022 • Alexander Levine, Soheil Feizi
We empirically show that this can improve the performance of goal-conditioned off-policy reinforcement learning when the space of goals is high-dimensional.
1 code implementation • 5 Aug 2022 • Wenxiao Wang, Alexander Levine, Soheil Feizi
Deep Partition Aggregation (DPA) and its extension, Finite Aggregation (FA) are recent approaches for provable defenses against data poisoning, where they predict through the majority vote of many base models trained from different subsets of training set using a given learner.
1 code implementation • 16 Mar 2022 • Alexander Levine, Soheil Feizi
Our approach builds on a recent work, Levine and Feizi (2021), which provides a provable defense against L_1 attacks.
1 code implementation • 5 Feb 2022 • Wenxiao Wang, Alexander Levine, Soheil Feizi
DPA predicts through an aggregation of base classifiers trained on disjoint subsets of data, thus restricting its sensitivity to dataset distortions.
1 code implementation • 28 Jan 2022 • Aounon Kumar, Alexander Levine, Tom Goldstein, Soheil Feizi
Certified robustness in machine learning has primarily focused on adversarial perturbations of the input with a fixed attack budget for each point in the data distribution.
1 code implementation • CVPR 2022 • Jiang Liu, Alexander Levine, Chun Pong Lau, Rama Chellappa, Soheil Feizi
In addition, we design a robust shape completion algorithm, which is guaranteed to remove the entire patch from the images if the outputs of the patch segmenter are within a certain Hamming distance of the ground-truth patch masks.
no code implementations • ICLR 2022 • Aounon Kumar, Alexander Levine, Soheil Feizi
Prior works in provable robustness in RL seek to certify the behaviour of the victim policy at every time-step against a non-adaptive adversary using methods developed for the static setting.
1 code implementation • 17 Mar 2021 • Alexander Levine, Soheil Feizi
To the best of our knowledge, this is the first work to provide deterministic "randomized smoothing" for a norm-based adversarial threat model while allowing for an arbitrary classifier (i. e., a deep model) to be used as a base classifier and without requiring an exponential number of smoothing samples.
no code implementations • ICLR 2021 • Alexander Levine, Soheil Feizi
Against general poisoning attacks where no prior certified defenses exists, DPA can certify $\geq$ 50% of test images against over 500 poison image insertions on MNIST, and nine insertions on CIFAR-10.
1 code implementation • 20 Oct 2020 • Alexander Levine, Aounon Kumar, Thomas Goldstein, Soheil Feizi
In this work, we show that there also exists a universal curvature-like bound for Gaussian random smoothing: given the exact value and gradient of a smoothed function, we compute a lower bound on the distance of a point to its closest adversarial example, called the Second-order Smoothing (SoS) robustness certificate.
no code implementations • NeurIPS 2020 • Aounon Kumar, Alexander Levine, Soheil Feizi, Tom Goldstein
It uses the probabilities of predicting the top two most-likely classes around an input point under a smoothing distribution to generate a certified radius for a classifier's prediction.
no code implementations • NeurIPS 2020 • Wei-An Lin, Chun Pong Lau, Alexander Levine, Rama Chellappa, Soheil Feizi
Using OM-ImageNet, we first show that adversarial training in the latent space of images improves both standard accuracy and robustness to on-manifold attacks.
no code implementations • 26 Jun 2020 • Alexander Levine, Soheil Feizi
Our defense against label-flipping attacks, SS-DPA, uses a semi-supervised learning algorithm as its base classifier model: each base classifier is trained using the entire unlabeled training set in addition to the labels for a partition.
1 code implementation • NeurIPS 2020 • Alexander Levine, Soheil Feizi
In this paper, we introduce a certifiable defense against patch attacks that guarantees for a given image and patch attack size, no patch adversarial examples exist.
1 code implementation • ICML 2020 • Aounon Kumar, Alexander Levine, Tom Goldstein, Soheil Feizi
Notably, for $p \geq 2$, this dependence on $d$ is no better than that of the $\ell_p$-radius that can be certified using isotropic Gaussian smoothing, essentially putting a matching lower bound on the robustness radius.
1 code implementation • 21 Nov 2019 • Alexander Levine, Soheil Feizi
This is comparable to the observed empirical robustness of unprotected classifiers on MNIST to modern L_0 attacks, demonstrating the tightness of the proposed robustness certificate.
no code implementations • 23 Oct 2019 • Alexander Levine, Soheil Feizi
An example of an attack method based on a non-additive threat model is the Wasserstein adversarial attack proposed by Wong et al. (2019), where the distance between an image and its adversarial example is determined by the Wasserstein metric ("earth-mover distance") between their normalized pixel intensities.
no code implementations • 28 May 2019 • Alexander Levine, Sahil Singla, Soheil Feizi
Deep learning interpretation is essential to explain the reasoning behind model predictions.