Skip to content

09 6th February, Tuesday

PattenR edited this page Feb 6, 2018 · 4 revisions

Having done some reflection on the direction I want to take the project in I have settled on a more interesting/more attainable goal and will run through this a bit more in the next meeting, but will summarise here.

Detecting attacks seems to be a little beyond what I could aim to do in this project. These attacks are examples of different ways of performing the training process on a model, they are not modifications of the model itself. There currently exists research and open source code outlining more secure models: compressed networks and differentially private networks are the main two that I have seen in my investigation.

I think a good direction for this project would be to investigate how well each of these models resist the attacks, if at all. Differentially private models are defined in terms of semi-arbitrary parameters and it would be very interesting to be able to investigate if there was a link between how much "privacy" a model has and to what extent these training methods can be successful.

I feel as though this approach has to potential to give some interesting results, seems like a sensible next step in the research area I am investigating. I think this is something that I can be fairly certain will be achievable but there is a little less originality and this feels a bit like just putting different existing ideas together, so I will be interested to see what feedback I get on this in the next meeting.

Update: I have now started a Sharelatex document with my first outline of the initial sections of my thesis based on this.

Update 2:

Few things to consider:

  • Do I look to write an API to link the attacks straight into the models?
  • These attacks are designed to work on deeper networks, but some of the secure models are on shallower ones.
  • Do I look to reimplement one side to work with the other? Perhaps deeper networks are going to be more interesting as the attacks probably won't work well in shallower ones.

Update 3:

I have now tried running some of the code on BlueCrystal, and many of the libraries being used are unsupported. Given that I now have a fair understanding of the concepts being used and still have the code available, I think the best solution to this will be to rewrite all of the models/attacks using the tensor flow framework. Given this framework is more flexible than those already being used this shouldn't be a problem. This might be time consuming, but I feel as though this will be the most effective way forward.

The alternative is to try to get these libraries installed on BlueCrystal, which might be fairly straightforward. Rewriting may improve my understanding and avoid issues with different parts using different libraries.

Clone this wiki locally