Yue Zhuo,Zhiqiang Ge

DOI: https://doi.org/10.1109/tii.2022.3197190

IF: 12.3

2023-01-01

IEEE Transactions on Industrial Informatics

Abstract:In modern industries, data-driven fault detection and classification (FDC) systems can efficiently maintain industrial security and stability, while the security of the data-driven FDC system itself is rarely or even never considered. The security problem named adversarial vulnerability is the intrinsic of data-driven machine learning models, which will give incorrect predictions under the maliciously perturbed input data. This paper presents a work on this new security topic of the data-driven FDC systems, by 1) summarizing and comparing various recent and typical adversarial attack and defense methods for fault classifiers; 2) proposing novel attack and defense techniques for unsupervised fault detectors; 3) constructing a novel industrial adversarial security benchmark on FDC systems in the Tennessee-Eastman process (TEP) dataset; 4) exploring and discussing which attack is most potentially threatening for FDC systems and which defense technique is most applicable to mitigate attacks. The results reveal unique security properties of FDC systems, mainly including 1) for fault classifiers, black-box attack is close to the attack strength of white-box FGSM and the universal transferable attack is not significantly stronger than random noise; 2) weak adversarial training is excellent with high adversarial accuracy improvement and negligible clean accuracy decrease; 3) fault detectors are intrinsically more robust, and can be well protected by strong adversarial training. More intriguing properties and profound insights are demonstrated in the paper. This pioneering work could guide researchers and practitioners in discovering and navigating the field of FDC system adversarial robustness, outlining the research directions and open problems.

Xiaoyu Jiang,Xiangyin Kong,Junhua Zheng,Zhiqiang Ge,Xinmin Zhang,Zhihuan Song

DOI: https://doi.org/10.1109/tii.2024.3449999

IF: 12.3

2024-01-01

IEEE Transactions on Industrial Informatics

Abstract:In recent years, deep neural networks (DNNs) have been widely applied in fault classification tasks. Their adversarial security has received attention, but little consideration has been given to the robustness of adversarial attacks against imperfect DNNs. Owing to the data scarcity and quality deficiencies prevalent in industrial data, the performance of DNNs may be severely constrained. In addition, black-box attacks against industrial fault classification models have difficulty in obtaining sufficient and comprehensive data for constructing surrogate models with perfect decision boundaries. To address this gap, this article analyzes the outcomes of adversarial attacks on imperfect DNNs and categorizes their decision scenarios. Subsequently, building on this analysis, we propose a robust adversarial attack strategy that transforms traditional adversarial attacks into an iterative targeted attack (ITA). The ITA framework begins with an evaluation of DNNs, during which a classification confidence score (CCS) is designed. Using the CCS and the prediction probability of the data, the labels and sequences for targeted attacks are defined. The adversarial attacks are then carried out by iteratively selecting attack targets and using gradient optimization. Experimental results on both a benchmark dataset and an industrial case demonstrate the superiority of the proposed method.

Yue Zhuo,Yuri A. W. Shardt,Zhiqiang Ge

DOI: https://doi.org/10.1016/j.eng.2021.07.033

IF: 12.834

2022-01-01

Engineering

Abstract:Recently developed fault classification methods for industrial processes are mainly data-driven. Notably, models based on deep neural networks have significantly improved fault classification accuracy owing to the inclusion of a large number of data patterns. However, these data-driven models are vulnerable to adversarial attacks; thus, small perturbations on the samples can cause the models to provide incorrect fault predictions. Several recent studies have demonstrated the vulnerability of machine learning methods and the existence of adversarial samples. This paper proposes a black-box attack method with an extreme constraint for a safe-critical industrial fault classification system: Only one variable can be perturbed to craft adversarial samples. Moreover, to hide the adversarial samples in the visualization space, a Jacobian matrix is used to guide the perturbed variable selection, making the adversarial samples in the dimensional reduction space invisible to the human eye. Using the one-variable attack (OVA) method, we explore the vulnerability of industrial variables and fault types, which can help understand the geometric characteristics of fault classification systems. Based on the attack method, a corresponding adversarial training defense method is also proposed, which efficiently defends against an OVA and improves the prediction accuracy of the classifiers. In experiments, the proposed method was tested on two datasets from the Tennessee–Eastman process (TEP) and steel plates (SP). We explore the vulnerability and correlation within variables and faults and verify the effectiveness of OVAs and defenses for various classifiers and datasets. For industrial fault classification systems, the attack success rate of our method is close to (on TEP) or even higher than (on SP) the current most effective first-order white-box attack method, which requires perturbation of all variables.

z zhang,m sun,r deng,c kang

DOI: https://doi.org/10.1109/tpwrs.2022.3169139

IF: 7.326

2022-01-01

IEEE Transactions on Power Systems

Abstract:Machine learning (ML) approaches have been widely developed to enable real-time stability assessment for large-scale electricity grids. However, it also has been extensively recognized that the ML model is vulnerable to adversarial examples, which are instances slightly perturbed from the original examples and remain invisible to human eyes. However, the adversarial examples in power systems should not only result in incorrect decisions but also follow the electricity laws and transfer limits, and can bypass the bad data detector. To this end, this paper proposes a novel concept named physics-constrained robustness verification that aims to compute a lower-bound of adversarial perturbations, evaluating the vulnerability of intelligent stability assessment (ISA) for power systems. We first propose a general formulation to compute the physics-constrained robustness considering both the physical constraints and stealthy/invisible requirements. Then analytical results are provided for the robustness of ISA with mislabelling, power balance, and invisible requirement constraints, consecutively. Furthermore, static stability assessment is employed as an example to evaluate the robustness of the applied ML model by providing explicit formulations. Finally, extensive experiments are conducted to evaluate the physics-constrained robustness of ISA under different settings with the real-world load profiles and provide suggestions to select the ML models.

Zhenqin Yin,Xinmin Zhang,Zhihuan Song,Zhiqiang Ge

DOI: https://doi.org/10.1109/tifs.2023.3343073

IF: 7.231

2024-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Data-driven models are revealed to be vulnerable to adversarial examples, so improving the model's adversarial robustness has attracted extensive research. However, in real-world industrial processes, the difficulty of collecting data for different fault types varies, leading to imbalanced data, which poses significant obstacles to adversarial robust learning. Furthermore, it results in inaccurate boundary learning, poor robustness, and overfitting to the majority class in common empirical adversarial training methods. To overcome these problems, we propose a balanced adversarial learning strategy. On the one hand, the balanced generalization processing penalizes the imbalance in the generation of adversarial variant in inner training, and calibrates the confidence using the class-aware label smoothing in outer training, so as to learn more accurate boundaries with better game relations. On the other hand, it involves robust regularization processing, which adopts the smooth augmentation of adversarial examples in the input and the addition of data-related soft label regularization to learn good generalization with enriched information. The proposed method is validated on two industrial fault classification benchmarks with imbalanced data, and comparisons with related methods demonstrate that our approach achieves better standard and robust performance.

Wenchuan Mu,Kwan Hui Lim

DOI: https://doi.org/10.1145/3639478.3643519

2024-04-25

Abstract:In deep learning applications, robustness measures the ability of neural models that handle slight changes in input data, which could lead to potential safety hazards, especially in safety-critical applications. Pre-deployment assessment of model robustness is essential, but existing methods often suffer from either high costs or imprecise results. To enhance safety in real-world scenarios, metrics that effectively capture the model's robustness are needed. To address this issue, we compare the rigour and usage conditions of various assessment methods based on different definitions. Then, we propose a straightforward and practical metric utilizing hypothesis testing for probabilistic robustness and have integrated it into the TorchAttacks library. Through a comparative analysis of diverse robustness assessment methods, our approach contributes to a deeper understanding of model robustness in safety-critical applications.

Software Engineering,Artificial Intelligence

Jinlin Zhu,Zhiqiang Ge,Zhihuan Song

DOI: https://doi.org/10.1109/TIE.2015.2396877

2015-01-01

Abstract:In this work, a novel hidden Markov model (HMM) driven robust latent variable model is proposed for fault classification in dynamic industrial processes. A robust probabilistic model with Student’s t mixture output is designed for tolerating outliers. Based on the robust latent variable model, the probabilistic structure is further developed into a classifier form so as to incorporate various types of process information during model acquisition. After that, the robust probabilistic classifier is extended within the HMM framework so as to characterize the time domain stochastic uncertainties. The model parameters are derived through the expectation maximization (EM) algorithm. For performance validation, the developed model is tested on the Tennessee Eastman (TE) benchmark process.

Rong Huang,Yuancheng Li

DOI: https://doi.org/10.1109/tsg.2022.3217060

IF: 10.275

2023-05-01

IEEE Transactions on Smart Grid

Abstract:The network attack detection model based on machine learning (ML) has received extensive attention and research in PMU measurement data protection of power systems. However, well-trained ML-based detection models are vulnerable to adversarial attacks. By adding meticulously designed perturbations to the original data, the attacker can significantly decrease the accuracy and reliability of the model, causing the control center to receive unreliable PMU measurement data. This paper takes the network attack detection model in the power system as a case study to analyze the vulnerability of the ML-based detection model under adversarial attacks. And then, a mitigation strategy for adversarial attacks based on causal theory is proposed, which can enhance the robustness of the detection model under different adversarial attack scenarios. Unlike adversarial training, this mitigation strategy does not require adversarial samples to train models, saving computing resources. Furthermore, the strategy only needs a small amount of detection model information and can be migrated to various models. Simulation experiments on the IEEE node systems verify the threat of adversarial attacks against different ML-based detection models and the effectiveness of the proposed mitigation strategy.

engineering, electrical & electronic

Zhenyong Zhang,Zhibo Yang,David K.Y. Yau,Youliang Tian,Jianfeng Ma

DOI: https://doi.org/10.1016/j.apenergy.2023.121405

IF: 11.2

2023-06-24

Applied Energy

Abstract:Towards the low-carbon goal, a smart grid features remote connection, data sharing, and cyber–physical integration to increase the flexibility of energy supplies, to reduce electricity wastage, and to enhance safety under intermittent renewables. In this context, machine learning (ML) is increasingly employed in smart grids to solve tasks that require deep data analytics. However, it is well recognized that ML models are vulnerable to adversarial examples that might be contained in open shared data, which creates opportunities for potential attackers to launch cyberattacks. In particular, system operating states acting as critical inputs to ML-based smart grid applications (MLsgAPPs) can be manipulated by malicious actors to mislead the system operator into making wrong decisions that in turn may cause major blackouts and other damaging cascading events. It is thus imperative to advance vulnerability assessment for MLsgAPPs. In this paper, we propose a physics-constrained robustness evaluation framework for MLsgAPPs, which is a first attempt of using tree ensemble (TE) models. Unlike adversarial attacks against prior studied image-classification tasks, adversarial examples against TE-based smart grid applications (TEsgAPPs) must not only cheat human intuition but also follow laws of physics and bypass error-checking mechanisms for power systems. Thus, formulation of the traditional robustness evaluation problem must be reconsidered to account for domain-specific misclassification, physical limit, power balance, and error-bypass constraints, in order to obtain tight lower bounds of the magnitudes of tolerated adversarial perturbations. We adopt a formal modeling approach to construct a discrete tree structure and to specify the model evasion conditions. We propose an efficient robustness evaluation method by transforming variables considering l1 and l∞ norms, followed by a generalization that expands the variable space to admit other types of norms. Using TE-based power system security assessment as an example, comprehensive simulations are conducted for evaluating the physics-constrained robustness under different TE models and model parameters.

energy & fuels,engineering, chemical

Mengting Xu,Tao Zhang,Zhongnian Li,Mingxia Liu,Daoqiang Zhang

DOI: https://doi.org/10.1016/j.media.2021.101977

IF: 10.9

2021-04-01

Medical Image Analysis

Abstract:<p>Deep learning models (with neural networks) have been widely used in challenging tasks such as computer-aided disease diagnosis based on medical images. Recent studies have shown deep diagnostic models may not be robust in the inference process and may pose severe security concerns in clinical practice. Among all the factors that make the model not robust, the most serious one is adversarial examples. The so-called "adversarial example" is a well-designed perturbation that is not easily perceived by humans but results in a false output of deep diagnostic models with high confidence. In this paper, we evaluate the robustness of deep diagnostic models by adversarial attack. Specifically, we have performed two types of adversarial attacks to three deep diagnostic models in both single-label and multi-label classification tasks, and found that these models are not reliable when attacked by adversarial example. We have further explored how adversarial examples attack the models, by analyzing their quantitative classification results, intermediate features, discriminability of features and correlation of estimated labels for both original/clean images and those adversarial ones. We have also designed two new defense methods to handle adversarial examples in deep diagnostic models, <em>i.e.</em>, Multi-Perturbations Adversarial Training (MPAdvT) and Misclassification-Aware Adversarial Training (MAAdvT). The experimental results have shown that the use of defense methods can significantly improve the robustness of deep diagnostic models against adversarial attacks.</p>

engineering, biomedical,computer science, interdisciplinary applications, artificial intelligence,radiology, nuclear medicine & medical imaging

M. Chow,Zhenyong Zhang,Ruilong Deng,Mingyang Sun,C. Kang

DOI: https://doi.org/10.1109/TPWRS.2022.3169139

IF: 7.326

2023-01-01

IEEE Transactions on Power Systems

Abstract:Machine learning (ML) algorithms have been widely developed to enable real-time security assessment for large-scale electricity grids. However, it also has been extensively recognized that the ML models are vulnerable to adversarial examples, which are slightly perturbed instances that can mislead the classifications but cannot be distinguished by human eyes. Considering the adversarial examples against the ML-based security assessment, they must not only cause misclassification but also follow the power balance and transfer limits and bypass the bad data detection. To this end, this paper proposes a novel concept named physics-constrained robustness that aims to computing a lower-bound of adversarial perturbations, evaluating the vulnerability of the ML-based intelligent security assessment (ISA) for power systems. A general optimization problem is formulated to compute the physics-constrained robustness of ISA with the mislabeling, power balance, power limitation, and invisible constraints. The analytical results and comparing relationship of ISA’s robustness with different constraints are provided. By using the static security assessment as an example, we provide explicit formulations to evaluate the physics-constrained robustness of. Finally, extensive experiments are conducted to evaluate the physics-constrained robustness of ISA in static and dynamic cases with the real-world load profiles from New York State and provide suggestions to select the ML models and parameters.

Physics,Engineering,Computer Science

Xingchen Ye,Liang Gao,Xinyu Li,Long Wen

DOI: https://doi.org/10.1007/s10489-022-04238-0

IF: 5.3

2022-10-23

Applied Intelligence

Abstract:Accurate bearing fault classification is essential for the safe and stable operation of rotating machinery. The success of Machine Learning (ML) in fault classification is mainly dependent on efficient features and the optimal pre-defined hyper-parameters. Various hyper-parameter optimization (HPO) methods have been proposed to tune the ML algorithms' hyper-parameters in low dimensions but ignore the hyper-parameters of Feature Engineering (FE). The hyper-parameter dimension is high because both FE and the ML algorithm contain many hyper-parameters. This paper proposed a new HPO method for high dimensions based on dimension reduction and partial dependencies. Firstly, the whole hyper-parameter space is separated into two subspaces of FE and the ML algorithm to reduce time consumption. Secondly, the sensitive intervals of hyperparameters can be recognized by partial dependencies due to the nonlinearity of the relationship between the hyperparameters. Then HPO is conducted in intervals to acquire more satisfactory accuracy. The proposed method is verified on three OpenML datasets and the CWRU bearing dataset. The results show that it can automatically construct efficient domain features and outperforms traditional HPO methods and famous ML algorithms. The proposed method is also very time efficient.

computer science, artificial intelligence

Yatong Bai,Brendon G. Anderson,Somayeh Sojoudi

2024-06-04

Abstract:Deep neural classifiers have recently found tremendous success in data-driven control systems. However, existing models suffer from a trade-off between accuracy and adversarial robustness. This limitation must be overcome in the control of safety-critical systems that require both high performance and rigorous robustness guarantees. In this work, we develop classifiers that simultaneously inherit high robustness from robust models and high accuracy from standard models. Specifically, we propose a theoretically motivated formulation that mixes the output probabilities of a standard neural network and a robust neural network. Both base classifiers are pre-trained, and thus our method does not require additional training. Our numerical experiments verify that the mixed classifier noticeably improves the accuracy-robustness trade-off and identify the confidence property of the robust base classifier as the key leverage of this more benign trade-off. Our theoretical results prove that under mild assumptions, when the robustness of the robust base model is certifiable, no alteration or attack within a closed-form $\ell_p$ radius on an input can result in the misclassification of the mixed classifier.

Machine Learning,Computer Vision and Pattern Recognition

Yize Chen,Yushi Tan,Deepjyoti Deka

DOI: https://doi.org/10.48550/arXiv.1808.08197

2018-08-27

Abstract:Recent advances in Machine Learning(ML) have led to its broad adoption in a series of power system applications, ranging from meter data analytics, renewable/load/price forecasting to grid security assessment. Although these data-driven methods yield state-of-the-art performances in many tasks, the robustness and security of applying such algorithms in modern power grids have not been discussed. In this paper, we attempt to address the issues regarding the security of ML applications in power systems. We first show that most of the current ML algorithms proposed in power systems are vulnerable to adversarial examples, which are maliciously crafted input data. We then adopt and extend a simple yet efficient algorithm for finding subtle perturbations, which could be used for generating adversaries for both categorical(e.g., user load profile classification) and sequential applications(e.g., renewables generation forecasting). Case studies on classification of power quality disturbances and forecast of building loads demonstrate the vulnerabilities of current ML algorithms in power networks under our adversarial designs. These vulnerabilities call for design of robust and secure ML algorithms for real world applications.

Systems and Control

Pu Zhao,Siyue Wang,Cheng Gongye,Yanzhi Wang,Yunsi Fei,Xue Lin

DOI: https://doi.org/10.48550/arXiv.1905.12032

IF: 5.414

2019-05-28

Machine Learning

Abstract:Despite the great achievements of deep neural networks (DNNs), the vulnerability of state-of-the-art DNNs raises security concerns of DNNs in many application domains requiring high reliability.We propose the fault sneaking attack on DNNs, where the adversary aims to misclassify certain input images into any target labels by modifying the DNN parameters. We apply ADMM (alternating direction method of multipliers) for solving the optimization problem of the fault sneaking attack with two constraints: 1) the classification of the other images should be unchanged and 2) the parameter modifications should be minimized. Specifically, the first constraint requires us not only to inject designated faults (misclassifications), but also to hide the faults for stealthy or sneaking considerations by maintaining model accuracy. The second constraint requires us to minimize the parameter modifications (using L0 norm to measure the number of modifications and L2 norm to measure the magnitude of modifications). Comprehensive experimental evaluation demonstrates that the proposed framework can inject multiple sneaking faults without losing the overall test accuracy performance.

Xugui Zhou,Maxfield Kouzel,Homa Alemzadeh

DOI: https://doi.org/10.48550/arXiv.2204.09183

2022-05-03

Abstract:The growing complexity of Cyber-Physical Systems (CPS) and challenges in ensuring safety and security have led to the increasing use of deep learning methods for accurate and scalable anomaly detection. However, machine learning (ML) models often suffer from low performance in predicting unexpected data and are vulnerable to accidental or malicious perturbations. Although robustness testing of deep learning models has been extensively explored in applications such as image classification and speech recognition, less attention has been paid to ML-driven safety monitoring in CPS. This paper presents the preliminary results on evaluating the robustness of ML-based anomaly detection methods in safety-critical CPS against two types of accidental and malicious input perturbations, generated using a Gaussian-based noise model and the Fast Gradient Sign Method (FGSM). We test the hypothesis of whether integrating the domain knowledge (e.g., on unsafe system behavior) with the ML models can improve the robustness of anomaly detection without sacrificing accuracy and transparency. Experimental results with two case studies of Artificial Pancreas Systems (APS) for diabetes management show that ML-based safety monitors trained with domain knowledge can reduce on average up to 54.2% of robustness error and keep the average F1 scores high while improving transparency.

Machine Learning,Artificial Intelligence

Shuang Ge,Kehong Yuan,Maokun Han,Desheng Sun,Huabin Zhang,Qiongyu Ye

DOI: https://doi.org/10.48550/arXiv.2206.04479

2022-06-09

Abstract:Artificial intelligence(AI)-assisted method had received much attention in the risk field such as disease diagnosis. Different from the classification of disease types, it is a fine-grained task to classify the medical images as benign or malignant. However, most research only focuses on improving the diagnostic accuracy and ignores the evaluation of model reliability, which limits its clinical application. For clinical practice, calibration presents major challenges in the low-data regime extremely for over-parametrized models and inherent noises. In particular, we discovered that modeling data-dependent uncertainty is more conducive to confidence calibrations. Compared with test-time augmentation(TTA), we proposed a modified Bootstrapping loss(BS loss) function with Mixup data augmentation strategy that can better calibrate predictive uncertainty and capture data distribution transformation without additional inference time. Our experiments indicated that BS loss with Mixup(BSM) model can halve the Expected Calibration Error(ECE) compared to standard data augmentation, deep ensemble and MC dropout. The correlation between uncertainty and similarity of in-domain data is up to -0.4428 under the BSM model. Additionally, the BSM model is able to perceive the semantic distance of out-of-domain data, demonstrating high potential in real-world clinical practice.

Computer Vision and Pattern Recognition

Ayesha Siddique,Ripan Kumar Kundu,Gautam Raj Mode,Khaza Anuarul Hoque

DOI: https://doi.org/10.48550/arXiv.2301.10822

2023-01-25

Cryptography and Security

Abstract:The state-of-the-art predictive maintenance (PdM) techniques have shown great success in reducing maintenance costs and downtime of complicated machines while increasing overall productivity through extensive utilization of Internet-of-Things (IoT) and Deep Learning (DL). Unfortunately, IoT sensors and DL algorithms are both prone to cyber-attacks. For instance, DL algorithms are known for their susceptibility to adversarial examples. Such adversarial attacks are vastly under-explored in the PdM domain. This is because the adversarial attacks in the computer vision domain for classification tasks cannot be directly applied to the PdM domain for multivariate time series (MTS) regression tasks. In this work, we propose an end-to-end methodology to design adversarially robust PdM systems by extensively analyzing the effect of different types of adversarial attacks and proposing a novel adversarial defense technique for DL-enabled PdM models. First, we propose novel MTS Projected Gradient Descent (PGD) and MTS PGD with random restarts (PGD_r) attacks. Then, we evaluate the impact of MTS PGD and PGD_r along with MTS Fast Gradient Sign Method (FGSM) and MTS Basic Iterative Method (BIM) on Long Short-Term Memory (LSTM), Gated Recurrent Unit (GRU), Convolutional Neural Network (CNN), and Bi-directional LSTM based PdM system. Our results using NASA's turbofan engine dataset show that adversarial attacks can cause a severe defect (up to 11X) in the RUL prediction, outperforming the effectiveness of the state-of-the-art PdM attacks by 3X. Furthermore, we present a novel approximate adversarial training method to defend against adversarial attacks. We observe that approximate adversarial training can significantly improve the robustness of PdM models (up to 54X) and outperforms the state-of-the-art PdM defense methods by offering 3X more robustness.

Xiaozhe Gu,Arvind Easwaran

DOI: https://doi.org/10.1145/3302509.3311038

2019-09-11

Abstract:Machine learning (ML) techniques are increasingly applied to decision-making and control problems in Cyber-Physical Systems among which many are safety-critical, e.g., chemical plants, robotics, autonomous vehicles. Despite the significant benefits brought by ML techniques, they also raise additional safety issues because 1) most expressive and powerful ML models are not transparent and behave as a black box and 2) the training data which plays a crucial role in ML safety is usually incomplete. An important technique to achieve safety for ML models is "Safe Fail", i.e., a model selects a reject option and applies the backup solution, a traditional controller or a human operator for example, when it has low confidence in a prediction. Data-driven models produced by ML algorithms learn from training data, and hence they are only as good as the examples they have learnt. As pointed in [17], ML models work well in the "training space" (i.e., feature space with sufficient training data), but they could not extrapolate beyond the training space. As observed in many previous studies, a feature space that lacks training data generally has a much higher error rate than the one that contains sufficient training samples [31]. Therefore, it is essential to identify the training space and avoid extrapolating beyond the training space. In this paper, we propose an efficient Feature Space Partitioning Tree (FSPT) to address this problem. Using experiments, we also show that, a strong relationship exists between model performance and FSPT score.

Systems and Control,Machine Learning

Xiangli Yang,Xijie Deng,Hanwei Zhang,Yang Zou,Jianxi Yang

2024-06-20

Abstract:Structural health monitoring (SHM) is critical to safeguarding the safety and reliability of aerospace, civil, and mechanical infrastructure. Machine learning-based data-driven approaches have gained popularity in SHM due to advancements in sensors and computational power. However, machine learning models used in SHM are vulnerable to adversarial examples -- even small changes in input can lead to different model outputs. This paper aims to address this problem by discussing adversarial defenses in SHM. In this paper, we propose an adversarial training method for defense, which uses circle loss to optimize the distance between features in training to keep examples away from the decision boundary. Through this simple yet effective constraint, our method demonstrates substantial improvements in model robustness, surpassing existing defense mechanisms.

Machine Learning,Artificial Intelligence