2.3.3. Using Objective Cost Function to Achieve Optimal Defense

Mohammed Alkhowaiter; Hisham Kholidy; Mnassar A. Alyami; Abdulmajeed Alghamdi; Cliff Zou

Improve Research Reproducibility A Bio-protocol resource

Home
Protocols

Concise Method

2.3.3. Using Objective Cost Function to Achieve Optimal Defense

MA Mohammed Alkhowaiter

HK Hisham Kholidy

MA Mnassar A. Alyami

AA Abdulmajeed Alghamdi

CZ Cliff Zou

This method is extracted from research article: Sensors (Basel), Jul 2023

Adversarial-Aware Deep Learning System Based on a Secondary Classical Machine Learning Verification Approach

DOI: 10.3390/s23146287

Ask a question

Favorite

Generally speaking, in most computer vision applications, a successful AML attack causes much more damage to the user than a misclassified event. In most cases, misclassifying an object/content in an image leads to a clearly identifiable wrongful conclusion, such that the user can easily know that it is a wrong identification, for example, misidentifying a road STOP sign as a red balloon in autonomous vehicle driving indicates that this is wrong image identification. However, a successful AML attack could make the user misidentify the STOP sign as a SPEED LIMIT sign, which could result in a serious car accident.

For this reason, when we decide how to adjust detection and defense settings for our proposed system, we should not use the classification accuracy, AUC score, or attack success rate directly as the metric. Instead, we define an overall cost objective function, that is, the weighted summation of all image classification results, to find the optimal defense parameters that minimize this objective function.

For the six decision outputs of our proposed system ( $D e c_{a}$ to $D e c_{f}$ ), each decision for one image has its own cost (due to misidentification) or gain (due to correct identification), which can be treated as a positive or a negative cost. Let us define $C_{a}$ , $C_{b}$ , and $C_{c}$ as the gains for each of those three good decisions ( $D e c_{a}, D e c_{b}$ , and $D e c_{c}$ ) and $C_{d}$ , $C_{e}$ , and $C_{f}$ as the cost values for each of those three wrongful decisions ( $D e c_{d}, D e c_{e}$ , and $D e c_{f}$ ).

The objective cost function ( $O b j f (k)$ ) for choosing the optimal defense parameter (Top_k) in the secondary RF classification module is illustrated in Algorithm 3 and shown in Equation (1). We find the optimal value of k by selecting the minimum output ( $m i n_{k}$ ) from the equation when changing k from 1 to 100. Parameters $N_{a}$ to $N_{f}$ refer to the number of times when decisions $D e c_{a}$ to $D e c_{f}$ happen, respectively.

To calculate $N_{a}$ , $N_{b}$ , …, and $N_{f}$ , a loop is conducted over the entire test set of the CIFAR-100 dataset. In Algorithm 3, each image (x) from the dataset is previously divided into three sets by Algorithm 1 (SETcrc, SETmis, and SETadv). Each $i f$ statement checks whether x image belongs to one of the sets and whether the outcomes of each model prediction (DNN and RF) are matched. For example, suppose x is a human object and DNN identifies it correctly, and the prediction also exists in the Top_3 RF outcomes. In that case, the decision state is set to $D e c_{a}$ and $N_{a}$ counter increments by one.

This optimization is conducted after the training stage, when we know the ground truth of all images, as shown in Section 3, and can calculate the values of $N_{a}$ to $N_{f}$ for each Top_k parameter for all test images. Since the number of possible values of k is limited (in our model, it has 100 possible values ranging from 1 to 100), there is no technical challenge in solving the optimization problem.

Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).

Do you have any questions about this protocol?

Post your question to gather feedback from the community. We will also invite the authors of this article to respond.

Post a Question

0 Q&A

Share your protocol with your peers.

Submit a Preprint Protocol