Dissertations / Theses on the topic 'Adversarial Defence'

Deep learning is the gold standard for image classification tasks. With its introduction came many impressive improvements in computer vision outperforming all of the earlier machine learning models. However, in contrast to the success it has been shown that deep neural networks are easily fooled by adversarial examples, data that have been modified slightly to cause the neural networks to make incorrect classifications. This significant disadvantage has caused an increased doubt in neural networks and it has been questioned whether or not they are safe to use in practice. In this thesis we propose a new defence mechanism against adversarial examples that utilizes the explainable AI metrics of neural network predictions to filter out adversarial examples prior to model interference. We evaluate the filters against various attacks and models targeted at the MNIST, Fashion-MNIST, and Cifar10 datasets. The results show that the filters can detect adversarial examples constructed with regular attacks but that they are not robust against adaptive attacks that specifically utilizes the architecture of the defence mechanism.
Djupinlärning är den bästa metoden för bildklassificeringsuppgifter. Med dess introduktion kom många imponerande förbättringar inom datorseende som överträffade samtliga tidigare maskininlärningsmodeller. Samtidigt har det i kontrast till alla framgångar visat sig att djupa neuronnät lätt luras av motstridiga exempel, data som har modifierats för att få neurala nätverk att göra felaktiga klassificeringar. Denna nackdel har orsakat ett ökat tvivel gällande huruvida neuronnät är säkra att använda i praktiken. I detta examensarbete föreslås en ny försvarsmekanism mot motstridiga exempel som utnyttjar förklarbar AI för att filtrera bort motstridiga exempel innan de kommer i kontakt med modellerna. Vi utvärderar filtren mot olika attacker och modeller riktade till MNIST-, Fashion-MNIST-, och Cifar10-dataseten. Resultaten visar att filtren kan upptäcka motstridiga exempel konstruerade med vanliga attacker, men att de inte är robusta mot adaptiva attacker som specifikt utnyttjar försvarsmekanismens arkitektur.

Thesis: M. Eng., Massachusetts Institute of Technology, Department of Electrical Engineering and Computer Science, 2017.
This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.
Cataloged from student-submitted PDF version of thesis.
Includes bibliographical references (pages 49-50).
This thesis implements a novel peer-to-peer network simulator that integrates co-evolutionary algorithms in order to model adversarial attack and defense dynamics in networks. Modeling this behavior is desirable as it allows for network designers to better develop network defense strategies against adaptive cyber attackers. By developing a network simulator that implements a peer-to-peer protocol, we were able to control the environment and abstract away many of the complex details that would normally arise from using a live network. Because of this environment, we were able to design attack and defense models and grammars, construct arbitrary network topologies, and rapidly test adversarial behavior using the integrated coevolutionary algorithms. Second, the thesis implements the integration of the coevolutionary algorithms with a more complex, proprietary emulator that implements an advanced version of Chord. Our experiments with this system start to investigate the effectiveness of peer-to-peer networks as defenders as well as elucidate the issues of integrating coevolutionary algorithms in a real-world system.
by Dennis Alberto Garcia.
M. Eng.

L’universalisme des droits a fait accéder au concept des droits de la défense des diversités procédurales. Au niveau de chaque pays, qu’il soit petit ou grand, quelle que soit sa culture, il est accepté et officiel qu’on ne peut juger sans se référer aux règles fondamentales, et sans se faire assister par un avocat. Les droits à la défense sont garantis en Mauritanie par la loi n° 2007-036 portant approbation d'un Code de Procédure Pénale, la loi n° 2007- 012 portant l'Organisation Judiciaire et la loi n° 99-035 portant code de Procédure Civile Commerciale et Administrative. Les règles des droits de la défense ne peuvent être atteintes sans la mise en place d’organes qui encadrent les dispositions de celle-ci. L’égalité devant la Justice est expressément considérée de droit fondamental dans la constitution du 20 juillet 1991. Cependant, le principe n'ait aucune portée réelle malgré la précision du texte. Ce qui paraît absurde avec notre modèle de système de « droit ineffectif », implique, que les règles du procès équitable ne sont pas affectées de manière égalitaire à tous. Ce n’est pas la seule difficulté ou ambigüité. La présente étude soutient, d’une part, que l’exercice des principes du contradictoire et de l’égalité des armes garantit l’effectivité des droits de la défense, et d’autre part, que le développement des principes participe à un renouveau des droits. La position contemporaine des droits de la défense emploie cette notion, démontrant souvent les droits de la défense comme une implication supérieure et d’une évidence logique de la procédure, obéissant donc aux critères fondamentaux du droit à un procès équitable. Il se détermine par toute une série de procédures menées dans un procès et se déclare, aujourd’hui, sous un ensemble de bases juridiques protégeant les droits de la défense. Pour ce faire nous avons essayé de faire un travail d’évaluation sociologique sans prétention de scientificité parfaite. Evitant tout juridisme ou positivisme, le travail reste néanmoins à dominance juridique
Universalism of the rights have come the concept the rights of the defenses diversity of procedural. A the level of each country, however big or small, whatever is its culture, he (It) is accepted and official that we cannot judge without referring to the fundamental rules (rulers), and without being attended by a lawyer. Rights of defence are guaranteed in Mauritanie by the law number 2007-036 carrying Code of criminal procedure, the law number 2007-012 carrying the judicial organization, the law number 99–035 carrying Code of civil procedure, commercial and administrative. The rules of rights of defence not wind not to be reached without the implementation of organs which frame the capacities of this one. The equality before the courts is expressly considered by fundamental law in the of the constitution owed July 20th, 1991. However, the principle is of no real reach in spite of the precision of the text. What seems absurd with our model of system of ineffective right, imply that the rules of the fair trial are not allocated in a egalitarian way to all. It is not the only difficulty or the ambiguity. The present study supports on one hand that the exercice of the equality of the contradictory and the equality of weapons guarantees the effectiveness of rights of defence, and on the other hand, that the development of the principles participates in a revival oo the rights.The contemporary position of rights of defence uses this notion demonstrating, often rights of defence as a superior implication and of a logical obvious fact of the procedure, thus obeying the fundamental criteria of the right to fair trial. He is determined by a whole series of procedures led in a trial and declares itself, today, under a set of legal bases protecting rights of defence. To this end we had tried to make a work of unpretentious sociological evaluation of perfect scientificity. Avoiding any legalism or positivism, the work stays nevertheless in legal dominance

Machine learning is a subset of Artificial Intelligence which is utilised in a variety of different fields to increase productivity, reduce overheads, and simplify the work process through training machines to automatically perform a task. Machine learning has been implemented in many different fields such as medical science, information technology, finance, and cyber security. Machine learning algorithms build models which identify patterns within data, which when applied to new data, can map the input to an output with a high degree of accuracy. To build the machine learning model, a dataset comprised of appropriate examples is divided into training and testing sets. The training set is used by the machine learning algorithm to identify patterns within the data, which are used to make predictions on new data. The test set is used to evaluate the performance of the machine learning model. These models are popular because they significantly improve the performance of technology through automation of feature detection which previously required human input. However, machine learning algorithms are susceptible to a variety of adversarial attacks, which allow an attacker to manipulate the machine learning model into performing an unwanted action, such as misclassifying data into the attackers desired class, or reducing the overall efficacy of the ML model. One current research area is that of malware detection. Malware detection relies on machine learning to detect previously unknown malware variants, without the need to manually reverse-engineer every suspicious file. Detection of Zero-day malware plays an important role in protecting systems generally but is particularly important in systems which manage critical infrastructure, as such systems often cannot be shut down to apply patches and thus must rely on network defence. In this research, a targeted adversarial poisoning attack was developed to allow Zero-day malware files, which were originally classified as malicious, to bypass detection by being misclassified as benign files. An adversarial poisoning attack occurs when an attacker can inject specifically-crafted samples into the training dataset which alters the training process to the desired outcome of the attacker. The targeted adversarial poisoning attack was performed by taking a random selection of the Zero-day file’s import functions and injecting them into the benign training dataset. The targeted adversarial poisoning attack succeeded for both Multi-Layer Perceptron (MLP) and Decision Tree models without reducing the overall efficacy of the target model. A defensive strategy was developed for the targeted adversarial poisoning attack for the MLP models by examining the activation weights of the penultimate layer at test time. If the activation weights were outside the norm for the target (benign) class, the file is quarantined for further examination. It was found to be possible to identify on average 80% of the target Zero-day files from the combined targeted poisoning attacks by examining the activation weights of the neurons from the penultimate layer.

Context. Machine learning is a constantly developing subfield within the artificial intelligence field. The number of domains in which we deploy machine learning models is constantly growing and the systems using these models spread almost unnoticeably in our daily lives through different devices. In previous years, lots of time and effort has been put into increasing the performance of these models, overshadowing the significant risks of attacks targeting the very core of the systems, the trained machine learning models themselves. A specific attack with the aim of fooling the decision-making of a model, called the adversarial input attack, has almost exclusively been researched for models processing image data. However, the threat of adversarial input attacks stretches beyond systems using image data, to e.g the tabular domain which is the most common data domain used in the industry. Methods used for interpreting complex machine learning models can help humans understand the behavior and predictions of these complex machine learning systems. Understanding the behavior of a model is an important component in detecting, understanding and mitigating vulnerabilities of the model. Objectives. This study aims to reduce the research gap of adversarial input attacks and defenses targeting machine learning models in the tabular data domain. The goal of this study is to analyze how model-agnostic interpretation methods can be used in order to mitigate and detect adversarial input attacks on tabular data. Methods. The goal is reached by conducting three consecutive experiments where model interpretation methods are analyzed and adversarial input attacks are evaluated as well as visualized in terms of perceptibility. Additionally, a novel method for adversarial input attack detection based on model interpretation is proposed together with a novel way of defensively using feature selection to reduce the attack vector size. Results. The adversarial input attack detection showed state-of-the-art results with an accuracy over 86%. The proposed feature selection-based mitigation technique was successful in hardening the model from adversarial input attacks by reducing their scores by 33% without decreasing the performance of the model. Conclusions. This study contributes with satisfactory and useful methods for adversarial input attack detection and mitigation as well as methods for evaluating and visualizing the imperceptibility of attacks on tabular data.
Kontext. Maskininlärning är ett område inom artificiell intelligens som är under konstant utveckling. Mängden domäner som vi sprider maskininlärningsmodeller i växer sig allt större och systemen sprider sig obemärkt nära inpå våra dagliga liv genom olika elektroniska enheter. Genom åren har mycket tid och arbete lagts på att öka dessa modellers prestanda vilket har överskuggat risken för sårbarheter i systemens kärna, den tränade modellen. En relativt ny attack, kallad "adversarial input attack", med målet att lura modellen till felaktiga beslutstaganden har nästan uteslutande forskats på inom bildigenkänning. Men, hotet som adversarial input-attacker utgör sträcker sig utom ramarna för bilddata till andra datadomäner som den tabulära domänen vilken är den vanligaste datadomänen inom industrin. Metoder för att tolka komplexa maskininlärningsmodeller kan hjälpa människor att förstå beteendet hos dessa komplexa maskininlärningssystem samt de beslut som de tar. Att förstå en modells beteende är en viktig komponent för att upptäcka, förstå och mitigera sårbarheter hos modellen. Syfte. Den här studien försöker reducera det forskningsgap som adversarial input-attacker och motsvarande försvarsmetoder i den tabulära domänen utgör. Målet med denna studie är att analysera hur modelloberoende tolkningsmetoder kan användas för att mitigera och detektera adversarial input-attacker mot tabulär data. Metod. Det uppsatta målet nås genom tre på varandra följande experiment där modelltolkningsmetoder analyseras, adversarial input-attacker utvärderas och visualiseras samt där en ny metod baserad på modelltolkning föreslås för detektion av adversarial input-attacker tillsammans med en ny mitigeringsteknik där feature selection används defensivt för att minska attackvektorns storlek. Resultat. Den föreslagna metoden för detektering av adversarial input-attacker visar state-of-the-art-resultat med över 86% träffsäkerhet. Den föreslagna mitigeringstekniken visades framgångsrik i att härda modellen mot adversarial input attacker genom att minska deras attackstyrka med 33% utan att degradera modellens klassifieringsprestanda. Slutsats. Denna studie bidrar med användbara metoder för detektering och mitigering av adversarial input-attacker såväl som metoder för att utvärdera och visualisera svårt förnimbara attacker mot tabulär data.

En procédure civile, la connaissance des actes du procès par les parties est essentielle ; des garanties importantes y sont attachées, à commencer par le respect du principe du contradictoire. Une difficulté se pose, toutefois : il est malaisé de déterminer si une partie a eu connaissance de l’acte qui lui a été communiqué. Toute la question est alors de savoir comment le droit s’accommode de cette difficulté. À cette fin, deux modèles contraires peuvent être dégagés. Dans le premier, formaliste, il est fait le choix de favoriser la connaissance des actes du procès par les parties en amont, pour pouvoir se désintéresser de leur connaissance effective en aval, tous les moyens ayant été mis en oeuvre pour y parvenir. Dans le second, réaliste, on se désintéresse de la façon dont les actes du procès sont portés à la connaissance des parties, mais, par la suite, on prête beaucoup d’intérêt à la connaissance que les parties en ont réellement eue. L’étude révèle que le droit du procès civil reposait initialement sur un modèle à dominante formaliste, mais que ce modèle a évolué, particulièrement au cours des dix dernières années. Sous l’influence des soucis contemporains de rationalisation des coûts de la justice et de protection accrue des droits fondamentaux des parties, le formalisme du droit du procès civil s’est tempéré. Faudrait-il qu’il le soit davantage ? Ce travail ne plaide ni pour la subversion du modèle classique, ni pour son rétablissement. Plutôt, c’est une évolution nuancée du droit qui est suggérée, proposant d’exalter le formalisme lorsque la sécurité juridique l’exige, sans renoncer à tirer profit de règles l’atténuant quand cela s’impose
In civil law procedures, the parties’ knowledge of the acts of the trial is essential; it guarantees that certain principles, such as the adversarial principle, will be respected. However, a difficulty arises: it is hard to determine whether a party has in fact become aware of the act which was communicated to him. The question is to determine whether the law can accept such a difficulty. To this end, two divergent models can be provided. In the formalistic one, the choice is made to favor the knowledge of the acts of the trial beforehand, in order to be able to become disinterested in their actual knowledge afterwards, all the means having been implemented to carry this out. In the realistic one, the way in which the acts of the trial are brought to the parties' attention is neglected, but thereafter, there is a resurgent focus on the knowledge the parties have genuinely had. The study reveals that the law of civil trial was initially based on a predominantly formalistic model, but this model has evolved, especially during the last decade. Under the influence of contemporary concerns in order to rationalize justice costs and increase the protection of the parties' fundamental rights, the formalism of civil lawsuit has been tempered. Should it be even more moderate? This work neither pleads for the subversion of the classical model nor for its reinstatement. Instead, it is a nuanced evolution of the law which is suggested. It suggests to promote formalism when legal certainty requires it, without sacrificing the benefit of lightening the rules when it is necessary

Le thème de la protection pénale de l'accusé, connu des pénalistes, mérite aujourd'hui d'être renouvelé sous un angle essentiellement probatoire, au regard de l'évolution actuelle du procès pénal. Situés au confluent de l'innocence et de la culpabilité, les droits et garanties accordés à l'accusé, entendu dans son acception conventionnelle, doivent être analysés en considération des principes fondateurs que sont la présomption d'innocence et les droits de la défense. L'évolution continue de ces deux principes, dans un sens diamétralement opposé, rejaillit inévitablement sur l'intensité et les modalités de la protection dont bénéficie toute personne suspectée ou poursuivie dans le cadre d'une procédure pénale.La présente étude, volontairement limitée à la phase préparatoire du procès pénal, se propose d'appréhender, dans un souci pratique et technique, les différentes évolutions jurisprudentielles et législatives opérées en la matière. Y seront ainsi abordées les principales problématiques actuellement rencontrées en procédure pénale telles que la question du statut juridique du suspect ou encore l'effectivité du principe du contradictoire dans l'avant-procès pénal. S'il peut être tentant, au premier abord, de conclure à un renforcement indiscutable de la protection pénale accordée à l'accusé, il conviendra alors de reconsidérer cette question à l'aune de l'étude des limites procédurales attachées au procès pénal. Loin d'aborder ce thème dans une optique partisane, il sera question de modération dans les propos tenus. En effet, peut-être plus que sur toute autre question de procédure pénale, il est impératif de savoir raison garder
The theme of the criminal protection of the accused, well-known to criminal specialists, today deserves to be renewed under a probationary essentially angle, in the light of current developments in the criminal trial. Located at the confluence of innocence and guilt, the rights and guarantees granted to the accused understood in its conventional sense, must be analyzed in consideration of the founding principles of presumption of innocence and the rights of the defense. The continuing evolution of these two principles, in a sense diametrically opposite, inevitably reflects the intensity and the terms of the protection afforded any person suspected or prosecuted under criminal proceedings.This study deliberately limited to the pre-trial phase, proposes to understand, in a practical and technical problems, the various case law and legislative developments carried out in the field. Will thus addressed the key issues currently faced in criminal proceedings such as the question of the legal status of the suspect or the effectiveness of the adversarial principle in the preliminary criminal trial. While it may be tempting, at first, to conclude an indisputable strengthening the criminal protection afforded to the accused, then it will be necessary to reconsider this issue in terms of the study of procedural limitations attached to the criminal trial. Far from addressing this issue in a partisan way, it will be about moderation in the remarks. Indeed, perhaps more than any other issue of criminal procedure, it is imperative to keep a sense of proportion

Submitted by Franciele Moreira (francielemoreyra@gmail.com) on 2018-08-16T13:47:32Z No. of bitstreams: 2 Dissertação - Lélia Moreira Borges - 2017.pdf: 1967491 bytes, checksum: 0c533712e13300a3711e215ad48229a5 (MD5) license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5)
Approved for entry into archive by Luciana Ferreira (lucgeral@gmail.com) on 2018-08-17T11:20:43Z (GMT) No. of bitstreams: 2 Dissertação - Lélia Moreira Borges - 2017.pdf: 1967491 bytes, checksum: 0c533712e13300a3711e215ad48229a5 (MD5) license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5)
Made available in DSpace on 2018-08-17T11:20:43Z (GMT). No. of bitstreams: 2 Dissertação - Lélia Moreira Borges - 2017.pdf: 1967491 bytes, checksum: 0c533712e13300a3711e215ad48229a5 (MD5) license_rdf: 0 bytes, checksum: d41d8cd98f00b204e9800998ecf8427e (MD5) Previous issue date: 2017-08-31
Coordenação de Aperfeiçoamento de Pessoal de Nível Superior - CAPES
This dissertation had as its objective verify whether the adolescents submitted to the institutionalization measures in Goiânia, Goiás – Brazil, were guaranteed their right to the adversarial principle and full defense in their trials. The empirical field of this investigation consisted of the analysis of cases filed between the periods of 2014 to 2016, and the observation of hearings carried out in the infractions court of Child and Youth Court of Goiânia, GO and interviews with public defenders. The Federal Constitution of 1988, the Child and Adolescent Statute, Criminal Code, Criminal Procedure and Civil Procedure Codes were used as the main legal references for this study. As theoretical support, Emílio G. Mendez, Pierre Bourdieu and Loïc Wacquant were also used. These references were useful in the understanding of the infraction persecution dynamics operationalized by the security and justice system of the State. As well as that, the understanding of the socio-juridical paradigm in force at each moment of history that justified the penalization of children and adolescents; the concept of field as a social space in competition, subject to internal disputes hierarchically established by the monopoly of the significance of such space, and the intensification of punitive actions by the State allow the perception of the permanence of the irregular situation paradigm in the professionals’ performances and judicial decisions. Decisions marked by inequality between institutions that operate in the juvenile criminal justice system, facing the recent entry of the public defense counsel, not yet totally structured, in the game of signification and legitimation of a trial that is preponderantly inquisitive. It brings loss to the exercise of full defense of the adolescents accused of acts of infraction. Evidence of a mismatch is noticed between the advances in the children’s and adolescents’ acquisition of rights and guarantees and the criminal control operationalized by the juvenile criminal justice system of Goiânia / GO.
Essa dissertação teve como objetivo verificar se os adolescentes submetidos à medida de internação em Goiânia/Goiás tiveram garantidos o direito ao contraditório e a ampla defesa nos seus julgamentos. O campo empírico desta investigação consistiu na análise de processos arquivados entre os períodos de 2014 a 2016, da observação de audiências realizadas na vara de atos infracionais do Juizado da Infância e Juventude de Goiânia/GO e de entrevistas aos defensores públicos. A Constituição Federal de 1988, Estatuto da Criança e do Adolescente, Códigos Penal, de Processo Penal e de Processo Civil foram referência para este estudo. Como suportes teóricos foram utilizados, entre outros, Emílio G. Mendez, Pierre Bourdieu e Loïc Wacquant. Esses referenciais serviram de suporte para entender os diferentes paradigmas jurídicos que justificaram a aplicação de penalização de crianças e adolescentes no decorrer da história apresentados por Mendez: nas considerações para uma sociologia do campo jurídico deixadas por Pierre Bourdieu sobre a força do direito, enquanto instrumento de poder da reprodução social e, nas discussões apresentas por Wacquant acerca do controle social e do estado punitivo. Permitindo assim, perceber a permanência do paradigma da situação irregular na atuação dos profissionais e nas decisões judiciais; a desigualdade entre instituições que atuam no sistema de justiça penal juvenil, dada a recente entrada da Defensoria Pública ainda não totalmente estruturada, no jogo da significação e legitimação de um julgamento preponderantemente inquisitivo, ocasionando com isso, prejuízo ao exercício pleno da defesa dos(as) adolescentes acusados(as) de atos infracionais. Evidenciando um descompasso entre os avanços na conquista de direitos e garantias das crianças e adolescentes e o controle social operacionalizado pelo sistema de justiça penal juvenil de Goiânia/GO.

La protection des droits de l’accusé est tributaire du respect du procès équitable dans presque tout débat judiciaire. Ce faisant, la création de la CPI suscite une attention particulière en vertu non seulement de son caractère permanent et universel, mais aussi de l’ampleur des crimes internationaux qu’elle connait. Sous l’effet de cette configuration, la recherche laisse découvrir une protection à l’efficacité relative et utopique malgré l’exigence de compatibilité du droit applicable aux droits de l’homme internationalement reconnus. Toutefois, le respect apparent de ces droits, l’application du principe du contradictoire et l’exigence de la présence de l’accusé dans son procès ne garantissent pas l’effectivité de l’égalité des armes, l’exercice des droits de la défense et le respect de la présomption d’innocence. Au contraire, la prééminence du déséquilibre processuel, de la durée excessive des procès et du maintien en détention de l’accusé conduit à faire objection sur l’existence possible de la protection efficace des droits de l’accusé. La dite protection cède plutôt devant la lutte contre l’impunité, la délicatesse des victimes et témoins et la souveraineté des Etats. A l’issue de cette étude, il est nécessaire de procéder à un rééquilibrage des droits entre les parties et à une reconceptualisation de la compétence de la Cour
Protecting the rights of the accused depends in any legal debate on respect for a fair trial. In doing so, the creation of the ICC merits special attention by virtue not only of its being permanent and universal, but also the extent of international crimes with which it deals. As a result of this broad scope, research suggests any protective coverage is relative in its effectiveness and utopian, despite the requirement of compatibility of the law applicable to internationally recognized human rights. The apparent respect for these rights, the principle of due process and the requirement of the presence of the accused at his or her trial do not guarantee an effective equality of arms, the exercise of one’s rights or respect for the presumption of innocence. Instead, the procedural rule of imbalance, the excessive length of trials and the continued detention of the accused have led to objections about effectively protecting the rights of the accused. So-called protection gives way instead to the fight against impunity, the reticence of victims and witnesses and the sovereignty of States. Following this study, it is necessary to rebalance the rights of the parties and rethink the jurisdiction of the Court

La personne qui a osé porter atteinte à une valeur pénalement protégée par la société mérite-t-elle, de la part de celle-ci une quelconque défense? Pendant longtemps, cette défense a fait l'objet de controverses, si certains y étaient favorables, d'autres y étaient résolument hostiles. Le compromis a consisté à refuser les droits de la défense dans l'enquête policière en adoptant un système inquisitoire et à les consacrer largement dans la phase de jugement avec un système accusatoire. Cette mixité de la procédure semble a priori répondre aux intérêts antagonistes au cœur de la procédure pénale. Mais, à l’aune des droits fondamentaux et sous l’influence des dispositions internationales et européennes, cette conception de la procédure devient inadaptée. Les droits de la défense, droits du procès équitable, ne doivent plus faire l’objet de limitations, ils doivent gouverner toute la procédure, de l’enquête policière jusqu’à la phase de jugement. Comment des droits qui ne s’appliquaient initialement que devant une juridiction indépendante et impartiale vont-ils faire irruption dans l’enquête policière sans l’existence d’un juge présentant des garanties équivalentes à celles de la juridiction de jugement ?Si le législateur a d’abord introduit les droits de la défense dans la phase de l’instruction pénale, le déclin de cette dernière au profit de l’enquête policière devrait le pousser à procéder à leur extension. C’est ce qu’il a d’ailleurs commencé à faire, mais de manière timorée. L’effectivité des droits de la défense dans l’enquête policière nécessite non seulement de procéder à leur élargissement, mais aussi de mettre en place un juge indépendant et impartial chargé de garantir leur pleine application comme dans la phase de jugement. Une juridictionnalisation de l’enquête policière est aujourd’hui un impératif
Did the person who dared to infringe a value criminally protected by the society deserve any defense from that latter? This defence has been controversial for a long time, while some have been in favor, others have been resolutely hostile. The compromise consisted in refusing the rights of the defense in the police investigation by adopting an inquisitorial system and devoting them largely in the judgment phase with an adversarial system. This diversity of the procedure seems a priori to answer the conflicting interests at the heart of the criminal proceedings. But in the light of fundamental rights and under the influence of international and European provisions, this conception of procedure becomes inappropriate. The rights of the defense, as well as the rights to fair trial must no longer be limited, they must govern the entire procedure from the police investigation to the trial stage. How would rights that initially applied only before an independent and impartial jurisdiction break into the police investigation without the existence of a judge providing guarantees equivalent to those of the trial court? If the legislator first introduced the rights of defense in the criminal investigation phase, the decline of the latter in favor of the police investigation should push him to extend them. In fact, this is what he has started to do, but in a timorous way. Not only does the effectiveness of the rights of the defense in the police investigation require to be enlarged, but it also allows putting in place an independent and impartial judge responsible for ensuring their full implementation as in the trial stage. A jurisdictionalization of the police investigation is now a requirement

La première partie de l’étude est consacrée à l’invocation, intra et extra muros, du droit à un procès équitable. Sont analysés ainsi, dans un premier temps, l’applicabilité directe de l’article 6 et la subsidiarité de la Convention par rapport au droit national et de la Cour Européenne des Droits de l’Homme par rapport aux juridictions nationales. Le droit à un procès équitable étant un droit jurisprudentiel, l’étude se focalise, dans un second temps, sur l’invocabilité des arrêts de la Cour Européenne et plus précisément sur l’invocabilité directe de l’arrêt qui constate une violation du droit à un procès équitable dans une affaire mettant en cause l’Etat et l’invocabilité de l’interprétation conforme à l’arrêt qui interprète l’article 6 dans une affaire mettant en cause un Etat tiers. L’introduction dans l’ordre juridique français et hellénique de la possibilité de réexamen de la décision pénale définitive rendue en violation de la Convention a fait naitre un nouveau droit d’accès à la Cour de cassation lequel trouve son terrain de prédilection aux violations de l’article 6 et constitue peut-être le pas le plus important pour le respect du droit à un procès équitable après l’acceptation (par la France et la Grèce) du droit de recours individuel. Quant au faible fondement de l’autorité de la chose interprétée par la Cour Européenne, qui est d’ailleurs un concept d’origine communautaire, cela explique pourquoi un dialogue indirect entre la Cour Européenne et la Cour de cassation est possible sans pour autant changer en rien l’invocabilité de l’interprétation conforme et le fait que l’existence d’un précédent oblige la Cour de cassation à motiver l’interprétation divergente qu’elle a adoptée.La seconde partie de l’étude, qui est plus volumineuse, est consacrée aux garanties de bonne administration de la justice (article 6§1), à la présomption d’innocence (article 6§2), aux droits qui trouvent leur fondement conventionnel dans l’article 6§1 mais leur fondement logique dans la présomption d’innocence et aux droits de la défense (article 6§3). Sont ainsi analysés le droit à un tribunal indépendant, impartial et établi par la loi, le délai raisonnable, le principe de l’égalité des armes, le droit à une procédure contradictoire, le droit de la défense d’avoir la parole en dernier, la publicité de l’audience et du prononcé des jugements et arrêts, l’obligation de motivation des décisions, la présomption d’innocence, dans sa dimension procédurale et personnelle, le « droit au mensonge », le droit de l’accusé de se taire et de ne pas contribuer à son auto-incrimination, son droit d’être informé de la nature et de la cause de l’accusation et de la requalification envisagée des faits, son droit au temps et aux facilités nécessaires à la préparation de la défense, y compris notamment la confidentialité de ses communications avec son avocat et le droit d’accès au dossier, son droit de comparaître en personne au procès, le droit de la défense avec ou sans l’assistance d’un avocat, le droit de l’accusé d’être représenté en son absence par son avocat, le droit à l’assistance gratuite d’un avocat lorsque la situation économique de l’accusé ne permet pas le recours à l’assistance d’un avocat mais les intérêts de la justice l’exigent, le droit d’interroger ou faire interroger les témoins à charge et d’obtenir la convocation et l’interrogation des témoins à décharge dans les mêmes conditions que les témoins à charge et le droit à l’interprétation et à la traduction des pièces essentielles du dossier. L’analyse est basée sur la jurisprudence strasbourgeoise et centrée sur la position qu’adoptent la Cour de cassation française et l’Aréopage
The first party of the study is dedicated to the invocation of the right to a fair trial intra and extra muros and, on this basis, it focuses on the direct applicability of Article 6 and the subsidiarity of the Convention and of the European Court of Human Rights. Because of the fact that the right to a fair trial is a ‘‘judge-made law’’, the study also focuses on the invocability of the judgments of the European Court and more precisely on the direct invocability of the European Court’s judgment finding that there has been a violation of the Convention and on the request for an interpretation in accordance with the European Court’s decisions. The possibility of reviewing the criminal judgment made in violation of the Convention has generated a new right of access to the Court of cassation which particularly concerns the violations of the right to a fair trial and is probably the most important step for the respect of the right to a fair trial after enabling the right of individual petition. As for the weak conventional basis of the authority of res interpretata (“autorité de la chose interprétée”), this fact explains why an indirect dialogue between the ECHR and the Court of cassation is possible but doesn’t affect the applicant’s right to request an interpretation in accordance with the Court’s decisions and the duty of the Court of cassation to explain why it has decided to depart from the (non-binding) precedent.The second party of the study is bigger than the first one and is dedicated to the guarantees of the proper administration of justice (Article 6§1), the presumption of innocence (Article 6§2), the rights which find their conventional basis on the Article 6§1 but their logical explanation to the presumption of innocence and the rights of defence (Article 6§3). More precisely, the second party of the study is analyzing the right to an independent and impartial tribunal established by law, the right to a hearing within a reasonable time, the principle of equality of arms, the right to adversarial proceedings, the right of the defence to the last word, the right to a public hearing and a public pronouncement of the judgement, the judge’s duty to state the reasons for his decision, the presumption of innocence, in both its procedural and personal dimensions, the accused’s right to lie, his right to remain silent, his right against self-incrimination, his right to be informed of the nature and the cause of the accusation and the potential re-characterisation of the facts, his right to have adequate time and facilities for the preparation of the defence, including in particular the access to the case-file and the free and confidential communication with his lawyer, his right to appear in person at the trial, his right to defend either in person or through legal assistance, his right to be represented by his counsel, his right to free legal aid if he hasn’t sufficient means to pay for legal assistance but the interests of justice so require, his right to examine or have examined witnesses against him and to obtain the attendance and examination of witnesses on his behalf under the same conditions as witnesses against him and his right to the free assistance of an interpreter and to the translation of the key documents. The analysis is based on the decisions of the European Court of Human Rights and focuses on the position taken by the French and the Greek Court of Cassation (Areopagus) on each one of the above mentioned rights

Malgré le peu de fondements écrits consacrés à la justice dans le texte de la Constitution du 4 octobre 1958, le Conseil constitutionnel, en réalisant un travail d’actualisation à partir de la Déclaration des droits de l’homme et du citoyen, a permis l’émergence d’un droit constitutionnel processuel, construit autour de principes directeurs. Ceux-ci peuvent être répartis dans trois catégories : deux principales, selon que l’acteur du procès prioritairement concerné soit le juge ou les parties et une troisième, complémentaire, celle des garanties procédurales, permettant de favoriser les qualités essentielles du juge et de contrôler le respect des droits des parties. Une gradation des exigences du Conseil constitutionnel est discrètement perceptible entre les deux premières catégories de principes, plus facilement identifiable entre celles-ci et la dernière famille. Cette échelle décroissante de « densité » des principes directeurs du procès témoigne d’une véritable politique jurisprudentielle en matière de droit constitutionnel processuel, qui met l’accent sur l’accès au juge, doté des qualités indispensables à l’accomplissement de sa mission juridictionnelle. Toutefois, aussi satisfaisante que soit l’action du juge constitutionnel français à l’égard du droit du procès, celle-ci nécessiterait aujourd’hui le relais du constituant, afin de moderniser le statut constitutionnel de la justice
In spite of a relatively low number of written dispositions dedicated to justice inside of the body of the Constitution of October 1958 4th, the constitutional Council, while updating this text through the Declaration of Human Rights, contributed to the development of a procedural constitutional law, which is structured around guiding principles. Those principles can be classified within three different categories : two major categories depend on the trial actor that is primarily concerned, either the judge or the parties; a third and additional category pertaining to procedural protections, fosters the essential qualities of the judge and secure the protection of the parties’ rights. A gradation of the requirements of the constitutional Council is discreetly perceptible between the first two categories of principles, and more easily identifiable between those first two categories and the last one. This decreasing scale of “density” yoked to the trial guiding principles highlights a genuine judicial policy when it comes to procedural constitutional law, emphasizing access to the judge, whom is given essential qualities in order to achieve its judicial duty. However, the action of the French constitutional judge, as satisfactory as it is towards the rights of the trial, would easily support the intervention of the constituent power in order to update Justice’s constitutional status

Deep Learning (DL) is a special class of Artificial Intelligence (AI) algorithms, studying the training of Deep Neural Networks (DNNs). Thanks to the modularity of their structure, these models are effective in a variety of problems ranging from computer vision to speech recognition. Particularly in the last few years, DL has achieved impressive results. Nonetheless, the excitement around the field may remain disappointed since there are still many open issues. In this thesis, we consider the Learning from Constraints framework. In this setting, learning is conceived as the problem of finding task functions while respecting a number of constraints representing the available knowledge. This setting allows considering different types of knowledge (including, but not exclusively, the supervisions) and mitigating some of the DL limits. DNN deployment, indeed, is still precluded in those contexts where manual labelling is expensive. Active Learning aims at solving this problem by requiring supervision only on few unlabelled samples. In this scenario, we propose to take consider domain knowledge. Indeed, the relationships among classes offer a way to spot incoherent predictions, i.e., predictions where the model may most likely need supervision. We develop a framework where first-order-logic knowledge is converted into constraints and their violation is checked as a guide for sample selection. Another DL limit is the fragility of DNNs when facing adversarial examples, carefully perturbed samples causing misclassifications at test time. As in the previous case, we propose to employ domain knowledge since it offers a natural guide to detect adversarial examples. Indeed, while the domain knowledge is fulfilled over the training data, the same does not hold true outside this distribution. Therefore, a constrained classifier can naturally reject predictions associated to incoherent predictions, i.e., in this case, adversarial examples. While some relationships are known properties of the considered environments, DNNs can also autonomously develop new relation patterns. Therefore, we also propose a novel Learning of Constraints formulation which aims at understanding which logic constraints are present among the task functions. This also allow explaining DNNs, otherwise commonly considered black-box classifiers. Indeed, the lack of transparency is a major limit of DL, preventing its application in many safety-critical domains. In a first case, we propose a pair of neural networks, where one learns the relationships among the outputs of the other one, and provides First-Order Logic (FOL)-based descriptions. Different typologies of explanations are evaluated in distinct experiments, showing that the proposed approach discovers new knowledge and can improve the classifier performance. In a second case, we propose an end-to-end differentiable approach, extracting logic explanations from the same classifier. The method relies on an entropy-based layer which automatically identifies the most relevant concepts. This enables the distillation of concise logic explanations in several safety-critical domains, outperforming state-of-the-art white-box models.

Малахова О.В. Реалізація інституту сприяння захисту у кримінально- процесуальному доказуванні: дис. ... канд. юрид. наук: 12.00.09 / Малахова Ольга Валентинівна. - Одеса, 2016. - 213 с.
Дисертація на здобуття наукового ступеня кандидата юридичних наук за спеціальністю 12.00.09 - кримінальний процес та криміналістика; судова експертиза; оперативно-розшукова діяльність. - Національний університет «Одеська юридична академія», Одеса, 2016. Дисертація є першим у вітчизняній науці спеціальним комплексним дослідженням реалізації інституту сприяння захисту у кримінально- процесуальному доказуванні відповідно до чинного кримінального процесуального законодавства України. У дисертації проаналізовано доктринальний розвиток теорії favor defensionis, з’ясовано суть та зміст favor defensionis як інституту кримінального процесуального права, визначено значення сприяння захисту у кримінально- процесуальному доказуванні, з’ясована правова природа матеріалів, одержаних стороною захисту під час кримінального провадження. Охарактеризовано процесуальні можливості сторони захисту щодо самостійного збирання доказів під час досудового розслідування. Розкрито процес збирання доказів під час досудового розслідування сторонами кримінального провадження з урахуванням функціонування інституту сприяння захисту. Проаналізовано правовий порядок дослідження доказів під час судового розгляду у суді першої інстанції в контексті сприяння захисту. З’ясовано межі активності суду в кримінально-процесуальному доказуванні з урахуванням змагальності судового розгляду. Сформульовано науково-обґрунтовані пропозиції щодо внесення змін та доповнень до КПК України у контексті реалізації інституту сприяння захисту у кримінально-процесуальному доказуванні.
Диссертация на соискание научной степени кандидата юридических наук по специальности 12.00.09 - уголовный процесс и криминалистика; судебная экспертиза; оперативно-розыскная деятельность. - Национальный университет «Одесская юридическая академия», Одесса, 2016. Диссертация является первым в отечественной науке специальным комплексным исследованием реализации института благоприятствования защите в уголовно-процессуальном доказывании согласно действующему уголовному процессуальному законодательству Украины. Рассмотрено доктринальное развитие теории favor defensionis. Определена сущность благоприятствования защите как института уголовного процессуального права. Под институтом благоприятствования защите понимается совокупность правовых норм, которые наделяют сторону защиты исключительными правами, устанавливают обязанности лиц, имеющих властные полномочия, совершать процессуальные действия в интересах защиты, с целью уравновешивания комплекса прав и возможностей сторон уголовного производства для отстаивания собственных утверждений перед судом и возражения доводов стороны обвинения. Установлено, что содержание института благоприятствования защите охватывает правовые нормы, устанавливающие: исключительные права стороны защиты; обязанности лиц, имеющих властные полномочия, совершать процессуальные действия в интересах стороны защиты; принципы уголовного производства, благоприятствующие защите. Охарактеризовано содержание института благоприятствования защите в соответствии с действующим УПК Украины. Установлено, что значение реализации института благоприятствования защите в уголовно-процессуальном доказывании заключается в расширении пределов активности подозреваемого (обвиняемого) и защитника в уголовнопроцессуальном доказывании, что является необходимым шагом для создания надлежащих условий отстаивания их правовых позиций перед судом на основе процессуального равенства сторон. Определен процессуальный порядок собирания доказательств стороной защиты во время досудебного расследования. Охарактеризован процесс собирания доказательств во время досудебного расследования сторонами уголовного производства с учетом функционирования института благоприятствования защите. Установлено, что реализация института благоприятствования защите в процессуальной деятельности стороны обвинения по собиранию доказательств во время досудебного расследования выражается в наделении подозреваемого исключительными правами. Исследован правовой порядок реализации исключительных прав подозреваемого во время досудебного расследования. Рассмотрен правовой порядок заявления и рассмотрения ходатайств стороны защиты, которые направлены на собирание и проверку доказательств, в контексте благоприятствования защите. Охарактеризован правовой порядок ознакомления стороны защиты с материалами досудебного расследования до его окончания (ст. 221 УПК Украины), а также в порядке открытия материалов другой стороне (ст. 290 УПК Украины). Рассмотрен порядок обжалования бездействия следователя, прокурора, которое состоит в не рассмотрении ходатайства об ознакомлении с материалами досудебного расследования до его окончания, а также постановления об отказе в удовлетворении ходатайства об ознакомлении с материалами досудебного расследования до его окончания. Определен правовой порядок исследования доказательств во время судебного разбирательства в суде первой инстанции в контексте благоприятствования защите. Охарактеризовано распределение бремени доказывания между сторонами уголовного производства в ходе судебного разбирательства. Определена возможность возложения на сторону защиты бремени доказывания отсутствия события уголовного правонарушения. Рассмотрен правовой порядок признания судом доказательства недопустимым. Определены условия применения концепции «асимметрии правил допустимости доказательств», которая должна применяться к оправдательным доказательствам, полученных стороной обвинения с нарушением процессуальной формы. Определены пределы активности суда в уголовно-процессуальном доказывании в контексте состязательности судебного разбирательства. Рассмотрена субсидиарная активность суда в уголовно-процессуальном доказывании как составная часть института благоприятствования защите.
Dissertation for the Candidate of Law Degree, specialty 12.00.09 - criminal process and criminalistics; forensic examination, operational-search activity. - National University «Odessa Law Academy», Odessa, 2016. The dissertation is the first special comprehensive research that is devoted to the implementation of favor defensionis in criminal procedure proving according to the current criminal procedural legislation of Ukraine. The concept of institute of defence promotion in criminal procedure proving, as a specific legal mechanism, the purpose of which is to ensure the procedural equality of parties to criminal proceedings, is developed. The essence and significance of favor defensionis, as an institution of the criminal procedure law, are determined. Its structure and content according to the current criminal procedural legislation of Ukraine are defined. Process of collecting and examining evidence during the pre-trial investigation and the court proceedings in the first instance is characterized taking into account the functioning of institute of defence promotion. The procedural opportunities of the defense of independent collection of evidence during pre-trial investigation are examined.

abstract: Machine learning (ML) and deep neural networks (DNNs) have achieved great success in a variety of application domains, however, despite significant effort to make these networks robust, they remain vulnerable to adversarial attacks in which input that is perceptually indistinguishable from natural data can be erroneously classified with high prediction confidence. Works on defending against adversarial examples can be broadly classified as correcting or detecting, which aim, respectively at negating the effects of the attack and correctly classifying the input, or detecting and rejecting the input as adversarial. In this work, a new approach for detecting adversarial examples is proposed. The approach takes advantage of the robustness of natural images to noise. As noise is added to a natural image, the prediction probability of its true class drops, but the drop is not sudden or precipitous. The same seems to not hold for adversarial examples. In other word, the stress response profile for natural images seems different from that of adversarial examples, which could be detected by their stress response profile. An evaluation of this approach for detecting adversarial examples is performed on the MNIST, CIFAR-10 and ImageNet datasets. Experimental data shows that this approach is effective at detecting some adversarial examples on small scaled simple content images and with little sacrifice on benign accuracy.
Dissertation/Thesis
Masters Thesis Computer Science 2019

Albeit displaying remarkable performance across a range of tasks, Deep Neural Networks (DNNs) are highly vulnerable to adversarial examples which are carefully created to deceive these networks. This thesis first demonstrates that DNNs are vulnerable against adversarial attacks even when the attacker is unaware of the model architecture or the training data used to train the model and then proposes a number of novel approaches to improve the robustness of DNNs against challenging adversarial perturbations. Specifically for adversarial attacks, our work highlights how targeted and untargeted adversarial functions can be learned without access to the original data distribution, training mechanism, or label space of an attacked computer vision system. We demonstrate state-of-the-art cross-domain transferability of adversarial perturbations learned from paintings, cartoons, and medical scans to models trained on natural image datasets (such as ImageNet). In this manner, our work highlights an important vulnerability of deep neural networks which makes their deployment challenging in a real-world scenario. Against the threat of these adversarial attacks, we develop novel defense mechanisms that can be deployed with or without retraining the deep neural networks. To this end, we design two plug-and-play defense methods that can protect off-the-shelf pre-trained models without retraining. Specifically, we propose Neural Representation Purifier (NRP) and Local Gradient Smoothing (LGS) to defend against constrained and unconstrained attacks, respectively. NRP learns to purify adversarial noise spread across entire the input image, however, it still struggles against unconstrained attacks where an attacker hides an adversarial sticker preferably in the background without disturbing the original salient image information. We develop a mechanism to smooth local gradients in an input image to stabilize abnormal adversarial patterns introduced by the unconstrained attacks such as an adversarial patch. Robustifying model's parameter space that is retraining the model on adversarial examples is of equal importance. However, current adversarial training methods not only lose performance on the clean image samples (images without the adversarial noise) but also show poor generalization to natural image corruptions. We propose a style-based adversarial training that enhances the model robustness to adversarial attacks as well as natural corruptions. A model trained on our proposed stylized adversarial training shows better generalization to shifts in data distribution including natural image corruptions such as fog, rain, and contrast. One drawback of adversarial training is the loss of accuracy on clean image samples especially when the model size is small. To address this limitation, we design a meta-learning-based approach that takes advantage of universal (instance-agnostic) as well as local (instance-specific) perturbations to train small neural networks with feature regularization that leads to better robustness with minimal drop in performance on clean image samples. Adversarial training is useful if it can be deployed against unseen adversarial attacks. However, evaluating a certain adversarial training mechanism remains a challenging feat due to gradient masking, a phenomenon where adversarial robustness is high due to failed attack optimization. Finally, we develop a generic attack algorithm based on a novel guidance mechanism in order to expose any elusive robustness due to gradient masking. In short, this thesis outlines new methods to expose the vulnerability of DNNs against adversarial perturbations and then sets out to propose novel defense techniques with special advantages over state-of-the-art methods e.g., task-agnostic behavior, good performance against natural perturbations, and less impact on model accuracy on clean image samples.

碩士
國立政治大學
資訊科學系
107
Adversarial examples are slightly modified inputs that are devised to cause erroneous inference of deep learning models. Recently, many methods have been proposed to counter the attack of adversarial examples. However, new ways of generating attacks have also surfaced accordingly. Protection against the intervention of adversarial examples is a fundamental issue that needs to be addressed before wide adoption of deep learning based intelligent systems. In this research, we utilize the method known as input recharacterization to effectively remove the perturbations found in the adversarial examples in order to maintain the performance of the original model. Input recharacterization typically consists of two stages: a forward transform and a backward reconstruction. Our hope is that by going through the lossy two-way transformation, the purposely added 'noise' or 'perturbation' will become ineffective. In this work, we employ digital halftoning and inverse halftoning for input recharacterization, although there exist many possible choices. We apply convolution layer visualization to better understand the network architecture and characteristics. The data set used in this study is Tiny ImageNet, consisting of 260 thousand 128x128 grayscale images belonging to 200 classes. Most of defense mechanisms rely on gradient masking, input transform and adversarial training. Among these strategies, adversarial training is widely regarded as the most effective. However, it requires adversarial examples to be generated and included in the training set, which is impractical in most applications. The proposed approach is more similar to input transform. We convert the image from intensity-based representation to density-based representation using halftone operation, which hopefully invalidates the attack by changing the image representation. We also investigate whether inverse halftoning can eliminate the adversarial perturbation. The proposed method does not require extra training of adversarial samples. Only low-cost input pre-processing is needed. On the VGG-16 architecture, the top-5 accuracy for the grayscale model is 76.5%, the top-5 accuracy for halftone model is 80.4%, and the top-5 accuracy for the hybrid model (trained with both grayscale and halftone images) is 85.14%. With adversarial attacks generated using FGSM, I-FGSM, and PGD, the top-5 accuracy of the hybrid model can still maintain 80.97%, 78.77%, 81.56%, respectively. Although the accuracy has been affected, the influence of adversarial examples is significantly discounted. The average improvement over existing input transform defense mechanisms is approximately 10%.

With the advance of the technologies of Internet of things, smart devices or virtual personal assistants at home, such as Google Assistant, Apple Siri, and Amazon Alexa, have been widely used to control and access different objects like door lock, blobs, air conditioner, and even bank accounts, which makes our life convenient. Because of its ease for operations, voice control becomes a main interface between users and these smart devices. To make voice control more secure, speaker verification systems have been researched to apply human voice as biometrics to accurately identify a legitimate user and avoid the illegal access. In recent studies, however, it has been shown that speaker verification systems are vulnerable to different security attacks such as replay, voice cloning, and adversarial attacks. Among all attacks, adversarial attacks are the most dangerous and very challenging to defend. Currently, there is no known method that can effectively defend against such an attack in speaker verification systems.

The goal of this project is to design and implement a defense system that is simple, light-weight, and effectively against adversarial attacks for speaker verification. To achieve this goal, we study the audio samples from adversarial attacks in both the time domain and the Mel spectrogram, and find that the generated adversarial audio is simply a clean illegal audio with small perturbations that are similar to white noises, but well-designed to fool speaker verification. Our intuition is that if these perturbations can be removed or modified, adversarial attacks can potentially loss the attacking ability. Therefore, we propose to add a plugin-function module to preprocess the input audio before it is fed into the verification system. As a first attempt, we study two opposite plugin functions: denoising that attempts to remove or reduce perturbations and noise-adding that adds small Gaussian noises to an input audio. We show through experiments that both methods can significantly degrade the performance of a state-of-the-art adversarial attack. Specifically, it is shown that denoising and noise-adding can reduce the targeted attack success rate of the attack from 100% to only 56% and 5.2%, respectively. Moreover, noise-adding can slow down the attack 25 times in speed and has a minor effect on the normal operations of a speaker verification system. Therefore, we believe that noise-adding can be applied to any speaker verification system against adversarial attacks. To the best of our knowledge, this is the first attempt in applying the noise-adding method to defend against adversarial attacks in speaker verification systems.

碩士
元智大學
資訊管理學系
107
Automated Optical Inspection (AOI) is used for defect inspection during industrial manufacturing process. It uses optical instrument to snap the surface of products and identify defects through technique of machine vision processing. Deep learning and convolution neural network automatically produce the feature which are useful for identify the defect correctly. However, the class imbalance for number of defect samples and normal samples is typically in industrial process, which will lead to poor accuracy of deep learning model. This paper proposed a framework named CGANC, integrates a Conditional Generative Adversarial Network (GAN), which can generate synthetic image automatically, to generate more defect images to adjust the data distribution for class imbalance. Eventually, this paper uses Convolutional Neural Network to get better result of defect data classification with manipulated data than with original data.

碩士
國立臺灣科技大學
機械工程系
107
In Taiwan, pharmaceutical industries generally inspect surface of tablets for defects manually. This will result in not only time-consuming but also undesirable misjudgments. In recent years, due to the fast development of deep learning, Neural Network has been applied to more and more fields. In order to train the Convolutional Neural Networks for the usage of defects detection, a large number of defective samples have to be provided. However, it is very difficult to collect enough defective samples, and it also takes enormous amount of time to mark the defects manually. This research makes use of Generative Adversarial Network(GAN) to train the neural network model by only providing images of normal tablets. At the same time, Wasserstein Generative Adversarial Network(WGAN) and Autoencoder are used to rebuild a GAN for image reconstruction, comparing the image before and after reconstruction to detect the defects. Because of GAN fails to detect small defect area, this research also implements traditional optical inspection techniques to inspect the defect of black spots. A series of experiments proves that the algorithms developed in this thesis is able to give high defect inspection rate.

abstract: Image-based process monitoring has recently attracted increasing attention due to the advancement of the sensing technologies. However, existing process monitoring methods fail to fully utilize the spatial information of images due to their complex characteristics including the high dimensionality and complex spatial structures. Recent advancement of the unsupervised deep models such as a generative adversarial network (GAN) and generative adversarial autoencoder (AAE) has enabled to learn the complex spatial structures automatically. Inspired by this advancement, we propose an anomaly detection framework based on the AAE for unsupervised anomaly detection for images. AAE combines the power of GAN with the variational autoencoder, which serves as a nonlinear dimension reduction technique with regularization from the discriminator. Based on this, we propose a monitoring statistic efficiently capturing the change of the image data. The performance of the proposed AAE-based anomaly detection algorithm is validated through a simulation study and real case study for rolling defect detection.
Dissertation/Thesis
Masters Thesis Industrial Engineering 2019

碩士
國立臺北科技大學
自動化科技研究所
107
In traditional automated optical inspection (AOI), the surface defect detection of different targets usually requires the specified detection algorithms and procedures from the field expertise. In order to solve this problem, this thesis used the deep learning model to train the surface defect and further used the data augmentation and generated adversarial network (GAN) to add more abundant training dataset. The sparse defect samples are always happened in surface defect detection. And then, the data augmentation through simple techniques, such as cropping, rotating, and flipping input images, are traditionally applied to expand the training dataset in order to improve the performance and ability of the model to generalize. However, these traditional techniques often induce the overfitting of the defect model. This thesis firstly obtained the rich and qualified defect images by active learning. The filtered defect images successively feed into the GAN to add more abundant training dataset. The Fréchet Inception Distance (FID) is further used to judge the difference between input and generated images. The images owned lowest FID will be stored as the training dataset of surface defect model. The dataset will efficiently decrease the overkill rate and missed detection rate of the corresponding well trained surface defect model. Finally, the surface detection of deep learning model will be verified through the public dataset and the captured images by the AOI instrument in real world. The experiment results show that the surface detection of deep learning model can get the equal detection accuracy and performance for both training with huge raw dataset and the expanded dataset with traditional data augmentation and GAN.

abstract: The field of cyber-defenses has played catch-up in the cat-and-mouse game of finding vulnerabilities followed by the invention of patches to defend against them. With the complexity and scale of modern-day software, it is difficult to ensure that all known vulnerabilities are patched; moreover, the attacker, with reconnaissance on their side, will eventually discover and leverage them. To take away the attacker's inherent advantage of reconnaissance, researchers have proposed the notion of proactive defenses such as Moving Target Defense (MTD) in cyber-security. In this thesis, I make three key contributions that help to improve the effectiveness of MTD. First, I argue that naive movement strategies for MTD systems, designed based on intuition, are detrimental to both security and performance. To answer the question of how to move, I (1) model MTD as a leader-follower game and formally characterize the notion of optimal movement strategies, (2) leverage expert-curated public data and formal representation methods used in cyber-security to obtain parameters of the game, and (3) propose optimization methods to infer strategies at Strong Stackelberg Equilibrium, addressing issues pertaining to scalability and switching costs. Second, when one cannot readily obtain the parameters of the game-theoretic model but can interact with a system, I propose a novel multi-agent reinforcement learning approach that finds the optimal movement strategy. Third, I investigate the novel use of MTD in three domains-- cyber-deception, machine learning, and critical infrastructure networks. I show that the question of what to move poses non-trivial challenges in these domains. To address them, I propose methods for patch-set selection in the deployment of honey-patches, characterize the notion of differential immunity in deep neural networks, and develop optimization problems that guarantee differential immunity for dynamic sensor placement in power-networks.
Dissertation/Thesis
Doctoral Dissertation Computer Science 2020

A alteração da qualificação jurídica em processo penal é uma questão que não é nova e que tem sido amplamente discutida na doutrina e jurisprudência. É certo que as reformas legislativas que o nosso Código Processual Penal sofreu tentaram colmatar as dificuldades que os juristas iam apontando. Contudo, esta matéria está longe de ser pacífica, continuando ainda a levantar dúvidas. A consagração legal do princípio da livre qualificação jurídica pelo tribunal resolveu a questão que até então dividia a doutrina, a de saber se o tribunal poderia ou não alterar a qualificação jurídica dos factos descritos na acusação ou na pronúncia, mas levantou outras novas. Surgiram várias teses sobre a forma como as normas relativas à alteração dos factos e/ou alteração da qualificação jurídica deveriam ser interpretadas. Há quem defenda que o tribunal poderá alterar a qualificação jurídica, mas tendo como limite, na moldura penal, a acusação ou pronúncia, de modo a que arguido não saia prejudicado por esta nova qualificação. Outros defendem que o princípio da livre qualificação pelo tribunal não se encontra limitado (pela acusação ou pronúncia), nem viola as garantias de defesa do arguido.
The alteration of the legal qualification in criminal procedure law is an issue that is not new and has been widely discussed in doctrine and jurisprudence. It is true that the legislative reforms that our Criminal Procedure Code has tried to address the difficulties that the jurists were pointing. However, this matter is far from peaceful and still raises doubts. The legal establishment of the principle of free legal qualification by the court has resolved the question that until then divided the doctrine, whether or not the court could change the legal qualification of the facts described in the accusation but raised new ones. Several of these have emerged as to how the rules relating to alteration of facts and / or alteration in the legal qualification should be interpreted. There are those who argue that the court can change the legal qualification, but that change is limited, in the penal provision, by the accusation so that the defendant is not jeopardized by this new qualification. Others argue that the principle of free qualification by the court is not limited (by the accusation), nor does it breach the defendant's guarantees of defence.