Keynote: The Insecurity of Machine Learning: Problems and Solutions
Monday 23 September, 09:00-10:00
The development of deep neural networks in the last decade had revolutionized machine learning and led to major improvements in the precision with which we can perform many computational tasks. However, the discovery five years ago of adversarial examples in which tiny changes in the input can fool well trained neural networks makes it difficult to trust such results when the input can be manipulated by an adversary.
This problem has many applications and implications in object recognition, autonomous driving, cyber security, etc, but it is still far from being understood. In particular, there had been no convincing explanations why such adversarial examples exist, and which parameters determine the number of input coordinates one has to change in order to mislead the network.
In this talk I will describe a simple mathematical framework which enables us to think about this problem from a fresh perspective, turning the existence of adversarial examples in deep neural networks from a baffling phenomenon into an unavoidable consequence of the geometry of R^n under the Hamming distance, which can be quantitatively analyzed.
Bio
Adi Shamir received his PhD degree in Computer Science from the Weizmann Institute in 1977. After a year postdoc at University of Warwick, he did research at MIT from 1977–1980 before returning to be a member of the faculty of Mathematics and Computer Science at the Weizmann Institute. Starting from 2006, he is also an invited professor at École Normale Supérieure in Paris.
He is a co-inventor of the RSA algorithm (along with Ron Rivest and Len Adleman), a co-inventor of the Feige–Fiat–Shamir identification scheme (along with Uriel Feige and Amos Fiat), one of the inventors of differential cryptanalysis and has made numerous contributions to the fields of cryptography and computer science, including the Shamir secret sharing scheme, the breaking of the Merkle-Hellman knapsack cryptosystem, visual cryptography, and the TWIRL and TWINKLE factoring devices.
Shamir has also made contributions to computer science outside of cryptography, such as finding the first linear time algorithm for 2-satisfiability and showing the equivalence of the complexity classes PSPACE and IP.
Shamir has received a number of awards, including the following: the 2002 ACM Turing Award, together with Rivest and Adleman in recognition of his contributions to cryptography. The Paris Kanellakis Theory and Practice Award, the Erdős Prize of the Israel Mathematical Society, the 1986 IEEE W.R.G. Baker Award, the UAP Scientific Prize, the Vatican’s PIUS XI Gold Medal, the 2000 IEEE Koji Kobayashi Computers and Communications Award, the Israel Prize, in 2008, for computer sciences. He holds an honorary DMath (Doctor of Mathematics) degree from the University of Waterloo. In 2018 he was elected to the Royal Society as a foreign member.