Blog Post #5: Easier Said Than Done

Hey everyone! This week’s blog post is going to be relatively short, as I covered the mechanics and mathematics of how I was going to generate the adversarial examples of traffic sign images. This week was about creating a program that implements the method I described last week. Thankfully, I was able to generate some adversarial examples! I have included an image of them below:

Screen Shot 2018-03-08 at 11.01.00 PM

The two images, put side-by-side like this, definitely shows how similar adversarial examples are to their original counterparts. However, it is easy to see that there are clear differences between the two, with the adversarial image looking more pixelated and adding more noise outside the red outline. This could be due to the fact that I did have some difficulty with creating and implementing the program. For a long while all of my adversarial images were coming out as greyscale images, which was definitely not what I was looking for. This was primarily due to the fact that the gradient descent model I was using to create the adversarial images would first preprocess the images by converting every image into greyscale to increase accuracy of the program, and the algorithm would then be trained with these greyscale images, thus outputting greyscale adversarial examples. I was not completely sure of how to convert a greyscale image to RGB values, so I had to remove the preprocessing method and instead work with the original colored images. This may have lead to the adversarial image being more pixelated and slightly different from the original image. If I have extra time on the project, I will definitely try to optimize the adversarial generation program further so that the original and adversarial examples look like carbon copies of each other. It could be as simple as changing the influence the original image carries on generating an adversarial example. Otherwise, I am very happy with how the adversarial examples turned out.

The next challenge for me is to generate about 30 images for each type of traffic sign, so about 1,200 images in total and compile them into a single folder of adversarial examples. This was supposed to be implemented sometime this past week, but because I had some difficulties in causing the adversarial image program the way I wanted it to, I had to leave this task for next week. It most likely will not take that long, though, as I am sure Python has some functions that will make the process quick and painless.

Stay tuned for next week, where I will be testing my machine learning algorithms on these adversarial images and see if there is a change in their classification accuracy! I’m very excited!

Until next time,





Blog Post #4: Neural Network Trickery

Greetings! It’s been a couple of weeks since the last blog post, but rest assured that I am still plowing through my project! Sadly, I have not been able to generate any adversarial examples from the traffic sign dataset. Instead, I’ve been focusing on learning the mathematics on how to generate these adversarial samples, which is most likely going to be the most complex and dense topic I will have to understand during the course of this project. In this blog post I will try to explain the mathematics behind the adversarial attacks. I hope to implement this next week in my code and provide you an example of what an altered traffic sign image looks like to provide further context in how the adversarial attacks looks like.

Essentially, there are two examples of adversarial attacks – targeted and non-targeted. A targeted attack is where a small amount of meticulously crafted noise is added to an image that causes a neural network to theoretically misclassify the image, even though the image will look extremely similar, or even exactly the same, to a human. Non-targeted examples are more rudimentary, in the sense that it is any input that will cause the neural network to malfunction. It does not have to look like a composed image; it can even be static or white noise. In the case of self-driving car neural networks, my type of adversarial attack will clearly be a targeted attack, as it is highly unlikely that white noise will appear anywhere on the streets.

There are many methods and functions used to generate adversarial samples. The most well-known method is called the fast gradient sign method, which is what I will be using to create these examples. The function for the fast gradient sign method is the following:

Image result for fast gradient sign method
Taken from Onfido Tech

This one line has taken me about a week to comprehend, but now that I understand it, it means that I am ready to implement in this in the two machine learning models I composed earlier. What this function boils down to is a concept called regularization, which is a way to use information already given, called a prior, to influence the results of a neural network model. Essentially, the x on the left side and the ytrue on the right side of the function acts as a prior, which means that I want the image to look like those terms. The gradient in the function will allow me to find the best value to modify the image that will trick the neural network given primarily through repeated iterations of the function. This value will then be added to the original image, which creates the adversarial image.

Now that I explained the method through which I will generate these adversarial images, I am going to attempt to implement this code next week, and hopefully I will have something to show you in terms of what an adversarial image looks like! Until next time!

Blog Post #3: Hit the Ground Running

Hi everyone! This was the first official week of my senior project, and I am very excited to recap the week’s events with you.

Essentially, this week was primarily dedicated to laying the foundation for the work I will be doing with generating adversarial images. Thus, my goal for this week was to train and test two traffic sign classifiers on a German Traffic Signs (GTSRB) dataset of different types – a logistic, or softmax, regression model, a basic algorithm used in machine learning, and a convolutional neural network, a much more complex type with many layers.

However, creating these neural networks from scratch is not an objective of mine in this project, as I do not have enough time to do so, and would rather spend that time on generating adversarial images. Thus, I looked into already-existing traffic sign classifiers online that fit the types of I was looking for.

Before I get into the machine learning aspect of this week, I want to speak a little bit on the dataset that I will be using for the project. The dataset, in total, has about 52,000 images of 32 X 32 pixel size, with Each of these 52,000 images organized into 43 classes. To give a better illustration of the dataset, I created two graphics in Python that helps explain how the dataset. The first image details the label for each of the 43 classes (apologies for the overlapping text – some of the labels were quite long and I wasn’t able to reformat it), while the second image shows the distribution of images of the total dataset.

Screen Shot 2018-02-15 at 8.16.36 PM

Screen Shot 2018-02-15 at 8.16.53 PM

While I was able to find a classifier that had convolution layers through this Github repository, I wasn’t as lucky to find a logistic regression model. However, with my external advisor’s help I was able to create a logistic regression classifier by adapting and making some changes to the code from this Tensorflow tutorial involving a dataset with handwritten digits. After training the convolutional neural network with the traffic sign dataset, the neural network had a 94.7% classification accuracy, the same as the accuracy from the Github project.  The changes I made to the Tensorflow tutorial code may have caused a drop in classification accuracy, from the tutorial’s accuracy of 91.7%  and my algorithm’s accuracy of 81.3%, but it is still understandable as the traffic sign dataset has more classes and image pixels compared to the handwritten digit dataset, which has images of 28 X 28 pixel size and only 10 classes. Still I would like to work on the logistic regression model over the weekend and ski break to try to increase the accuracy to about 90%.

Next week I will be diving into the field of creating adversarial images, which will definitely be expansive in both research and programming. Stay tuned!


Blog Post #2: A Primer on Self-Driving Cars

Hi everyone! This week has been hectic, especially with the large amount of school projects and tests I had to complete. Even though I explained some of the essential terms in my projects last week, such as adversarial attacks, I felt that I did not go over self-driving cars well enough, primarily due to the fact that I did not have enough knowledge on how self-driving cars work. However,when I visited the Computer History Museum two weeks ago, I learnt more about self-driving cars, enough to explain how they work. Thus, I decided to devote this blog post to this technology.

Driverless cars and taxis have been in the minds of people since the pages of science fiction of 1935 and has changed little in the ensuing decades. In fact, the dream of a self-driving car has become a reality, as it is now possible to buy a self-driving car. The Navia is a driverless car, but it has some limits. It’s only designed for closed environments, like a golf course or resort, has a top speed of 12 miles per hour, and costs about $250,000. However, Google has researched and developed technology for self-driving cars, guiding a fleet of Prius and Lexus vehicles over half a million miles. Thus, the firm is a leading advocate for driverless cars. An example of how these cars work is shown in the image below.

Credit: Google, Inc.

In essence, the self-driving car has a multitude of sensors around the frame that feeds data about the surrounds and the car itself to a central computer. The central computer takes a decision and sends an electric signal to maneuver the car. While it is inevitable that a self-driving car be accident-prove, it is possible, and even likely, that the central computer, or processor, can be exploited by hackers through adversarial attacks, which can turn the self-driving car from a accident-free asset to a malfunctioning liability. Thus, it is imperative to make sure that there is a defense against these attacks involving a safer future with driverless vehicles.

See you again next week, where I will be recapping the first official week of my senior project!

Blog Post 1: Introduction

Hey everyone! I’m Rishab and I’m currently in the 12th Grade at BASIS Independent Silicon Valley. Being a senior at this school means that I had the opportunity to undertake a senior project in the 3rd trimester.

One day last summer, my parents and I were at the dinner table discussing our day. My father told my mother and me of a dangerous occurrence that happened when test driving a self-driving car at his work. He explained that the car misclassified a stop sign and ran straight through it. This anecdote was my introduction to machine learning and my father explained it as a system in which machines are trained with data from the world to create new data. I was immediately fascinated by the topic and set out to learn more.

Through my research, I found that significant progress was being made on training neural networks, which would allow machines to correctly classify a set of data. This was also reflected in my classmates’ work. Many were involved in machine learning, such as creating a neural network that can predict the housing prices in a certain region; it was as if it became a new fad. Even with their projects and my research, I always asked one question that I never received a definite answer for: “How do we know if these networks are robust?” I wondered if I could create devious inputs that would cause networks to make the sort of mistake that nearly caused my father a heart attack in the self-driving car. (Note: An example of these inputs is in the picture of Sylvester Stallone above.)

When looking for answers to this question, I was dismayed to find that little research was done on these inputs. The attacks could potentially have dire effects, and many, particularly in my community, did not seem aware of this issue. With a dearth of research on this subject, I decided to answer the question myself and craft adversarial attacks that could make these neural networks malfunction. I did not want to attack a trivial neural network but rather one that has real-life consequences so I chose the neural networks for self-driving cars.

However, I could not undertake this project entirely on my own, as I could not fully grasp the technicalities behind the various machine learning algorithms. One day a fellow volunteer at my temple began to converse with me and it turned out he was a professor of computer science at Stanford. He seemed responsive to my enthusiasm for neural networks so I asked the professor if he was willing to guide me on my project, a longshot I figured. Amazingly, he obliged to meet with me and be my on-site advisor for this project.

With my mentor’s guidance and direction, I will definitely be making steady progress on the project, delving deeper and deeper into the technicalities of machine learning and neural networks, confirming that the generation of adversarial images does cause established networks to decrease their classification accuracy. With this knowledge in mind, I will test principal component analysis as a defense against these attacks to render them useless.

See you guys next week, where I will be posting about my thoughts on the first steps I took in the project! I have included attached my proposal below in case you want to further read into what I will be doing over the next 12 weeks.






Thanks for joining me on my quest to use principal component analysis as a defense against adversarial attacks on self-driving cars! I hope you have as much satisfaction reading my blog posts as much as I will progressing through my project!

Good company in a journey makes the way seem shorter. — Izaak Waltonmiracle.jpeg