Certifying Trustworthy Machine Learning: From Defenses to Attacks
COM3 Level 2
MR21, COM3 02-61
Abstract:
In the past decade, adversarial attacks and defenses have been extensively studied to expose vulnerabilities and develop countermeasures for enhancing the robustness of machine learning models. This talk will present our recent advances in certifying both defenses and attacks, with a focus on moving from empirical approaches to provable guarantees. First, we will introduce Text-CRS, the first generalized certified robustness framework for language models against a wide range of word-level adversarial operations, including synonym substitution, word reordering, insertion, and deletion. By leveraging randomized smoothing in both permutation and embedding spaces, Text-CRS improves certified accuracy and robustness. Second, we will shift focus to the attack side by introducing certifiable black-box adversarial attacks. While certified defenses have been well studied, this is the first attack framework that provides provable guarantees for the attack success probability (ASP). It reveals critical weaknesses in machine learning models, even those protected by state-of-the-art defenses. Our attack framework constructs a continuous space of adversarial examples with lower-bounded (high) ASP. Finally, we will discuss the certification in other areas of trustworthy machine learning.
Bio:
Yuan Hong is an Associate Professor and Collins Aerospace Endowed Professor in the School of Computing at the University of Connecticut (UConn), where he directs the Data Security and Privacy (DataSec) Laboratory. His research spans security, privacy, and trustworthy machine learning, with a focus on areas such as differential privacy, secure computation, applied cryptography, adversarial attacks and provable defenses in machine learning, computer vision, (large) language models, and cyber-physical systems. His research works have appeared in top-tier conferences in Security (e.g., S&P, CCS, USENIX Security, NDSS) and Data Science (e.g., SIGMOD, VLDB, NeurIPS, CVPR, ECCV, EMNLP, KDD, AAAI), as well as in top interdisciplinary journals. He is a recipient of the NSF CAREER Award (2021), Cisco Research Award (2022, 2023), CCS Distinguished Paper Award (2024), and the finalist of the Meta Research Award (2021). He regularly serves on the technical program committee (PC) or as a Senior PC member for top security and data science conferences and is an Associate Editor for IEEE Transactions on Dependable and Secure Computing (TDSC) and Computers & Security.