No Time to Spare: Adversarial Machine Learning at Training and Inference Time

This thesis addresses the critical challenge of adversarial machine learning in deep learning models, focusing on the defense mechanisms against evasion (adversarial) attacks and backdoor attacks. Part I analyzes evasion attacks through the lens of information bottleneck theory, revealing that compressing redundant information in the input space enhances model robustness. This insight leads to the proposal of novel, theoretically grounded adversarial training methods for stronger defense against evasion attacks. Part II shifts to backdoor attacks, exploring the sensitivity of backdoored models to adversarial examples. The research introduces an innovative backdoor trigger inversion method and investigates how adversarial perturbations can influence neuron weights to activate the backdoor functionality directly, bypassing the need for trigger recovery. This highlights the potential of parameter space analysis for effective backdoor detection and mitigation. An additional chapter systematically examines existing backdoor attacks, identifying a vulnerability: the detectability of backdoor-related neurons. To counter this, a novel backdoor attack is proposed, incorporating an adversarial backdoor injection module to ensure multi-space stealthiness (input, feature, and parameter spaces).  The thesis concludes by emphasizing the importance of adopting defense mechanisms before deploying machine learning in critical applications to ensure the security and reliability of these systems.