up

thesis.tex

@@ -126,7 +126,7 @@
 	% short. state what you did and what the most important result is.
 	Adversarial machine learning has traditionally focused on imperceptible perturbations that fool deep neural networks. This thesis challenges that narrow view by examining unrestricted adversarial examples \textendash{} a broader class of manipulations that can compromise model security while preserving semantics.
 
-	Through extensive experiments, we make three key contributions: First, we demonstrate that the standard imperceptibility constraint is insufficient for characterizing real-world adversarial threats through a comprehensive survey of current research. Second, we develop a novel and computationally efficient method for generating adversarial examples using geometric masks inspired by hCAPTCHA challenges. Our approach creates adversarial examples that are (1) effective, (2) transferable between models and (3) traceable in the model's decision space \textendash{} achieving comparable misclassification rates to existing techniques while requiring significantly less compute. Finally, we investigate improving model robustness by creating ensembles from intermediary ResNet layers using linear probes, combined with nature-inspired noise during training. While this architectural approach shows promise, we find that achieving ``zero-cost robustness'' remains elusive without adversarial training.
+	Through extensive experiments, we make three key contributions: First, we demonstrate that the standard imperceptibility constraint is insufficient for characterizing real-world adversarial threats through a comprehensive survey of current research. Second, we develop a novel and computationally efficient method for generating adversarial examples using geometric masks inspired by hCAPTCHA challenges. Our approach creates adversarial examples that are (1) effective, (2) transferable between models and (3) more traceable in the model's decision space \textendash{} achieving comparable misclassification rates to existing techniques while requiring significantly less compute. Finally, we investigate improving model robustness by creating ensembles from intermediary ResNet layers using linear probes, combined with nature-inspired noise during training. While this architectural approach shows promise, we find that achieving ``zero-cost robustness'' remains elusive without adversarial training.
 
 	This work advances our understanding of adversarial examples beyond pixel-space perturbations and provides practical tools for both generating and defending against them.
 	Our findings highlight the need to rethink how we conceptualize and evaluate adversarial robustness in machine learning systems.