# Introduction

## 1. Project Overview

The general aim of this project is to investigate developing a multiclass neural network image classifer, with a focus on improving the robustness of the classifier. 

Robustness refers to the ability of the model to handle inputs which differ from its training set. 

The need for robustness can be split into two categories. Firstly, real-world data will always be a challenge as it is impossible to encapsulate every type of data into the training set, so it will always encounter something new in some capacity. We want to make the model robust to this. Secondly, for varying reasons, there can be attacks on systems. The aim of these attacks is to cause misclassification. This is the other type of robustness that we will consider.

## 2. Specific Problem

Our application domain in which we will be investigating robustness is road sign image classification. This relates to a real-world problem which could become significant to our society in the furture: the saftey of driverless cars. 

Driverless cars use sophisticated systems to decide what actions to take depending on what they record around them. Classifying road signs would be one part of this, and it is clearly important to be able to do this correctly.

There are now very accurate methods for tasks such as this - classification of images using convolutional neural networks, for example. However, there is ongoing research into the area of robustness of these approaches, as it is the case that even small changes to an image can cause a misclassification.

A future issue which has been proposed e.g. [Adversarial images and attacks with Keras and TensorFlow - PyImageSearch](https://pyimagesearch.com/2020/10/19/adversarial-images-and-attacks-with-keras-and-tensorflow/) is terrorism through adversarial attacks on driverless car systems. We can imagine the chaos that could be caused by the malfunctioning of these systems. Specifically in the topic of road sign classification, we would not want a stop sign to be misinterpreted as a speed limit sign, for example.

## 3. Robustness

When creating a classification system such as for road signs in a real-world setting, at every stage the developers must be aware of how an attacker might compromise the system. 

Attack approaches include altering the training set, accessing or learning the architecture of the classifier, and accessing or learning the defences of the system. These are expained in more detail in Section *Adversarial Image Creation*. 

For real-world systems, these challenges will be ongoing, as attackers can continue to try to learn about the defenses and develop new attack methods. In this project, we will focus on the intial stages of improving robustness, rather than an ongoing approach.

We have also tried to include some of the restraints of the specific application, such as the attacks should be something that could be applied to road signs pysically.

## 4. Evaluation

To evaulate the success of our robustness improvements, we will create two classifiers which use a neural network: one which uses a standard convolutional neural network approach, and another which has additional defenses built in to it. We will then create a test set of a mixture of real images and adversarial images, and compare how the two classifiers perform. 

If we were completing this evaluation in real life, we would probably want to investigate weighting the importance of correct classification of some road signs over others. For example, it would make sense to desire a correct classsification of a stop sign over a warning for possible deers in the road. Within this, it can also be considered when a misclassification occurs, what is it being assigned to - an assignment of a 20 speed limit to a 30 would objectively be less detrimental than to a 50. However, this would be a lot of options to consider and define the importance of, which exceeds our time limits in this case. Therefore, we will give equal weight to all classes.

Thus, we will measure the success of our models by looking at the average F1 scores, which takes into account both precision and recall, and use these for our evaluation.

## 5. Dataset

The dataset that we decided to use - [GTSRB - German Traffic Sign Recognition Benchmark | Kaggle](https://www.kaggle.com/datasets/meowmeowmeowmeowmeow/gtsrb-german-traffic-sign) - is of German road signs. For our purposes, this dataset works well, as it should emulate the type of data that would be obtained by driverless cars.

The images are of 43 classes of road sign. It should be noted that there are in fact many more than 43 German road signs [Road signs in Germany](https://en.wikipedia.org/wiki/Road_signs_in_Germany), but this seems a reasonable place to start looking at this type of problem. 

The images have a good variety in quality, some of them being from different angles, of varying brightness etc. which we would expect from images taken by cars. All of the images have been centred on the sign, which is useful for our purposes, as, although this would not be the case with photos taken by cars, we can imagine that this has been a preprocessing stage that has been applied. In our timeframe, completing that preprocessing step ourseleves would have been quite difficult, as it would require a neural network as sophisticated as the one we are focussing on producing.