Adversarial Attacks and Defense in Long Short-Term Memory Recurrent Neural Networks
Open Access
- Author:
- Schuessler, Joseph
- Graduate Program:
- Electrical Engineering
- Degree:
- Master of Science
- Document Type:
- Master Thesis
- Date of Defense:
- October 01, 2021
- Committee Members:
- Kultegin Aydin, Program Head/Chair
David Jonathan Miller, Thesis Advisor/Co-Advisor
George Kesidis, Committee Member
Carina Pamela Curto, Committee Member - Keywords:
- Adversarial Attacks
Data Poisoning
Recurrent Neural Networks
LSTM
Deep Learning
Machine Learning - Abstract:
- This work explores adversarial imperceptible attacks on time series data in recurrent neural networks to learn both security of deep recurrent neural networks and to understand properties of learning in deep recurrent neural networks. Because deep neural networks are widely used in application areas, there exists the possibility to degrade the accuracy and security by adversarial methods. The adversarial method explored in this work is backdoor data poisoning where an adversary poisons training samples with a small perturbation to misclassify a source class to a target class. In backdoor poisoning, the adversary has access to a subset of training data, with labels, the ability to poison the training samples, and the ability to change the source class s* label to the target class t* label. The adversary does not have access to the classifier during the training or knowledge of the training process. This work also explores post training defense of backdoor data poisoning by reviewing an iterative method to determine the source and target class pair in such an attack. The backdoor poisoning methods introduced in this work successfully fool a LSTM classifier without degrading the accuracy of test samples without the backdoor pattern present. Second, the defense method successfully determines the source class pair in such an attack. Third, backdoor poisoning in LSTMs require either more training samples or a larger perturbation than a standard feedforward network. LSTM also require larger hidden units and more iterations for a successful attack. Last, in the defense of LSTMs, the gradient based method produces larger gradients towards the tail end of the time series indicating an interesting property of LSTMS in which most of learning occurs in the memory of LSTM nodes.