Is Deep Learning Safe for Robot Vision? Adversarial Examples against the iCub Humanoid

Deep neural networks have been widely adopted in recent years, exhibiting impressive performances in several application domains. It has however been shown that they can be fooled by adversarial examples, i.e., images altered by a barely-perceivable adversarial noise, carefully crafted to mislead classification. In this work, we aim to evaluate the extent to which robot-vision systems embodying deep-learning algorithms are vulnerable to adversarial examples, and propose a computationally efficient countermeasure to mitigate this threat, based on rejecting classification of anomalous inputs. We then provide a clearer understanding of the safety properties of deep networks through an intuitive empirical analysis, showing that the mapping learned by such networks essentially violates the smoothness assumption of learning algorithms. We finally discuss the main limitations of this work, including the creation of real-world adversarial examples, and sketch promising research directions.Comment: Accepted for publication at the ICCV 2017 Workshop on Vision in Practice on Autonomous Robots (ViPAR

Why Do Adversarial Attacks Transfer? Explaining Transferability of Evasion and Poisoning Attacks

Transferability captures the ability of an attack against a machine-learning model to be effective against a different, potentially unknown, model. Empirical evidence for transferability has been shown in previous work, but the underlying reasons why an attack transfers or not are not yet well understood. In this paper, we present a comprehensive analysis aimed to investigate the transferability of both test-time evasion and training-time poisoning attacks. We provide a unifying optimization framework for evasion and poisoning attacks, and a formal definition of transferability of such attacks. We highlight two main factors contributing to attack transferability: the intrinsic adversarial vulnerability of the target model, and the complexity of the surrogate model used to optimize the attack. Based on these insights, we define three metrics that impact an attack's transferability. Interestingly, our results derived from theoretical analysis hold for both evasion and poisoning attacks, and are confirmed experimentally using a wide range of linear and non-linear classifiers and datasets

Modeling human Usher syndrome during Drosophila melanogaster development

Human Usher syndrome is a severe and congenital form of syndromic deafness that affects 1 person in 25,000 people in the world population. Normally the stereocilia, microvillar protrusions of the apical membrane of inner ear hair cells, are organized into coherent bundles. This precise organization is critical for mechanosensing, i.e. for hearing. Mutation in any of the five known Usher syndrome genes is sufficient to alter the precise organization of stereocilia, a condition that results in deafness. To date, however, the molecular mechanisms responsible for the splaying of stereocilia and genesis of the disease are not well understood. Here, I identified Drosophila melanogaster genes related to human Usher syndrome and characterized some of them (Cad99C, DSANS and crinkled) during Drosophila development, in the processes of microvilli morphogenesis in the follicular and wing imaginal disc epithelia. Cadherin Cad99C is a transmembrane protein with putative cell adhesion properties. Similar to its human ortholog Protocadherin 15, Drosophila Cad99C localizes to microvillar protrusions in the follicular epithelium. In this epithelium, Cad99C is required for the proper morphogenesis and organization of microvilli into bundles, similar to human Protocadherin 15. Further, overexpression of the full-length Cad99C or of a deleted version, devoid of the cytoplasmic region, promotes microvilli bundling. This finding suggests that Cad99C establishes adhesive interactions between microvilli via its extracellular region. Interestingly, morphological alteration of follicle cell microvilli associates with defective deposition of the vitelline membrane, an extracellular matrix that protects the embryo from osmotic stresses. These findings suggest that microvilli are normally required for the even deposition of the extracellular matrix. In order to test whether Cad99C is involved in microvilli morphogenesis and bundling in other tissues, I analyzed the function of Cad99C in a larval tissue, the wing imaginal disc. Cad99C overexpression, but not Cad99C removal, is sufficient to alter microvilli morphology and organization in the columnar epithelium of the wing imaginal disc. Likely, other molecules can compensate for Cad99C loss of function in this tissue. To possibly get some insights on the molecular function of other Usher syndrome proteins, I analyzed the function of Drosophila SANS and crinkled in the follicular epithelium, where both these genes are expressed. crinkled is the ortholog of myosinVIIa, that encodes a motor protein of the actin cytoskeleton. DSANS is related to human SANS and encodes a cytoplasmic protein of unknown function. It has been puzzling how removal of SANS, a cytoplasmic protein, could impair adhesion and bundling of stereocilia. To study the function of DSANS, I generated null mutant flies and observed that, in the absence of DSANS, delivery of Cad99C to microvilli is impaired. Cad99C localization is however unperturbed in crinkled mutant follicle cells. By immunostaining, DSANS immunoreactivity was detected diffusively in the cytoplasm and in dot-like structures, possibly corresponding to vesicles. In conclusion, DSANS is a cytoplasmic protein that is required for the efficient delivery of Cad99C to microvilli protrusions. Taken together, the analysis that I here performed of Drosophila Usher syndrome related genes indicates two novel molecular mechanisms of function for the corresponding human Usher syndrome proteins. First, human Protocadherin 15, like Drosophila Cad99C, could be involved in establishing adhesive interactions between microvilli protrusions of the inner ear (stereocilia). Removal of Protocadherin 15 would then cause splaying of stereocilia due to lack of inter-stereocilia adhesive links. Second, the analysis here performed suggests that SANS is involved in the efficient delivery of Protocadherin 15 to stereocilia. Mutations in SANS would then lead to splaying of stereocilia and deafness due to poor localization of Protocadherin 15 to stereocilia

Engineering nanowire quantum dots with iontronics

Achieving stable, high-quality quantum dots has proven challenging within device architectures rooted in conventional solid-state device fabrication paradigms. In fact, these are grappled with complex protocols in order to balance ease of realization, scalability, and quantum transport properties. Here, we demonstrate a novel paradigm of semiconductor quantum dot engineering by exploiting ion gating. Our approach is found to enable the realization and control of a novel quantum dot system: the iontronic quantum dot. Clear Coulomb blockade peaks and their dependence on an externally applied magnetic field are reported, together with the impact of device architecture and confinement potential on quantum dot quality. Devices incorporating two identical quantum dots in series are realized, addressing the reproducibility of the developed approach. The iontronic quantum dot represents a novel class of zero-dimensional quantum devices engineered to overcome the need for thin dielectric layers, facilitating single-step device fabrication. Overall, the reported approach holds the potential to revolutionize the development of functional quantum materials and devices, driving rapid progress in solid state quantum technologie

Adversarial pruning: A survey and benchmark of pruning methods for adversarial robustness

Recent work has proposed neural network pruning techniques to reduce the size of a network while preserving robustness against adversarial examples, i.e., well-crafted inputs inducing a misclassification. These methods, which we refer to as adversarial pruning methods, involve complex and articulated designs, making it difficult to analyze the differences and establish a fair and accurate comparison. In this work, we overcome these issues by surveying current adversarial pruning methods and proposing a novel robustness-oriented taxonomy to categorize them based on two main dimensions: the pipeline, defining when to prune; and the specifics, defining how to prune. We then highlight the limitations of current empirical analyses and propose a novel, fair evaluation benchmark to address them. We finally conduct an empirical re-evaluation of current adversarial pruning methods and discuss the results, highlighting the shared traits of top-performing adversarial pruning methods, as well as common issues. We welcome contributions in our publicly-available benchmark at https: //github.com/pralab/AdversarialPruningBenchmark

Machine Learning Security Against Data Poisoning: Are We There Yet?

Poisoning attacks compromise the training data utilized to train machine learning (ML) models, diminishing their overall performance, manipulating predictions on specific test samples, and implanting backdoors. This article thoughtfully explores these attacks while discussing strategies to mitigate them through fundamental security principles or by implementing defensive mechanisms tailored for ML