|
Week 13: Knowledge Integration
Reading tasks
A Semantic Loss Function for Deep Learning with Symbolic Knowledge [ Link ]
SpecGuard: Specification Aware Recovery for Robotic Autonomous Vehicles from Physical Attacks [ Link ]
Informed Machine Learning - A Taxonomy and Survey of Integrating Prior Knowledge into Learning Systems [ Link ]
Blog Post 9: Semantic Loss
This paper introduces Semantic Loss, a logic-based loss function that allows deep neural networks to respect symbolic constraints during training. Instead of learning only from labeled data, the model is also guided by a logical formula that defines which output configurations are valid. Semantic Loss is defined as the negative log-probability that the network’s prediction satisfies that formula. This makes it possible to enforce rules such as “exactly one label must be true,” “the path must be continuous,” or “rankings must be transitive,” without changing the network architecture. The authors show that adding Semantic Loss improves performance on semi-supervised classification, structured path prediction, and ranking tasks. Overall, the work demonstrates a principled way to combine symbolic reasoning with deep learning by treating logic as a differentiable regularizer.
[Read more ...]
Week 12: ML Interpretebility
Reading tasks
A Survey for Machine Learning Security to Securing Machine Learning for CPS [ Link ]
Asymmetry Vulnerability and Physical Attacks on Online Map Construction for Autonomous Driving [ Link ]
Blog Post 8: Online Map Construction
This paper reveals a fundamental vulnerability in modern online HD map construction models such as MapTR and VectorMapNet. These models exhibit a strong symmetry bias, often mispredicting asymmetric roads—like forks, merges, or sharp turns—as symmetric or straight. This flaw arises from training data imbalance and architectural design, and it can lead to unsafe planning behaviors such as missed turns or unreachable routes. To exploit this weakness, the authors introduce the first physical-world attacks on online map construction using simple roadside tools: a flashlight for camera blinding and adversarial patches for white-box attacks. Their two-stage framework first detects vulnerable asymmetric scenes and then optimizes roadside attack locations. Experiments on the nuScenes dataset and real-world tests show that these attacks significantly degrade map accuracy and increase unsafe planned trajectories. As a partial defense, the paper proposes fine-tuning with asymmetric data to improve robustness. A key limitation is that the attack is most effective only when the vehicle is near the interference source, and its impact weakens quickly once the vehicle passes it. Despite this, the work demonstrates a critical and previously overlooked safety risk in autonomous driving systems.
[Read more ...]
Blog Post 7: Resilient Machine Learning for Networked CPS
This paper proposed a systematic view about achieving the resilient CPS system by applying ML algorithms. They also discuss the interaction between the ML and CPS. Also point out that ML also faces vulnerability itself. Many aspects of achieving resilient CPS by using ML and resilient ML model are discussed along with promising future research directions.
[Read more ...]
Week 11: Reinforcement Learning
Reading tasks
Mastering the game of Go with deep neural networks and tree search [ Link ]
Adversarial Policies: Attacking Deep Reinforcement Learning [ Link ]
Blog Post 6: Attacking Deep Reinforcement Learning
The presentation consists of using adversarial policies to attack reinforcement learning. This is applied to a two-player Markov game using multi-Joint in four different scenarios with different goals, such as kick and defend, you shall not pass, Sumo, and 2d Sumo. All were trained with LSTM except You shall not pass which was trained with MLP. The adversarial policy excelled at the you shall not pass scenario by confusing the victim by curling up in a ball. This unexpected behavior caused the adversarial opponent to win 86% of these scenarios. This demonstrates adversarial policies that can be applied to robotics.
[Read more ...]
Blog Post 5: AlphaGo
The paper proposes a system that masters the game of Go by combining deep policy and value neural networks with Monte Carlo Tree Search (MCTS), introduced as AlphaGo. First, to imitate strong human moves, a supervised policy network on tens of millions of expert positions is trained, then it is refined by self-play reinforcement learning to maximize win rate. A separate value network learns to predict the eventual winner from a position, which leads to reducing dependence on slow rollout simulations. For leaf evaluation during play, Monte Carlo Tree Search uses the policy network’s move probabilities as priors and the value network, to enable efficient exploration of a vast search space. The single-machine version AlphaGo defeated other Go programs in 494/495 games and also beat European champion, Fan Hui, 0 in an official match with score of 5-0. Ablations demonstrated that combining value estimates with rollouts works best and that policy + value + search is clearly stronger than any component alone. Overall, this paper proved that high-branching domains may be conquered by deep learning combined with guided search, opening the door for AlphaGo Zero and AlphaZero.
[Read more ...]
Week 9: Adversarial ML
Reading tasks
L-HAWK: A Controllable Physical Adversarial Patch Against a Long-Distance Target [ Link ]
Generative Adversarial Nets [ Link ]
Blog Post 4: L-HAWK
L-HAWK: A Controllable Physical Adversarial Patch Against a Long-Distance Target (NDSS 2025) introduces a new kind of laser-triggered physical attack on autonomous vehicles (AVs).
Conventional adversarial patches fool AV vision models but are always active and affect every vehicle nearby. L-HAWK overcomes this by using a printed patch that stays harmless until a laser signal activates it, allowing attackers to target a specific vehicle at up to 50 meters.
[Read more ...]
Blog Post 3: GAN
L-HAWK: A Controllable Physical Adversarial Patch Against a Long-Distance Target (NDSS 2025) introduces a new kind of laser-triggered physical attack on autonomous vehicles (AVs).
[Read more ...]
Week 8: Safety Monitoring in CPS
Reading tasks
Attacks against process control systems: risk assessment, detection, and response [ Link ]
Recovery-Guaranteed Sensor Attack Detection for Cyber-Physical Systems [ Link ]
Blog Post 2: Recovery-Guaranteed Sensor Attack Detection
This presentation proposes a recovery-guaranteed sensor attack detection framework for cyber‑physical systems (CPS). Unlike prior work that treats detection and recovery separately, the method co-designs detection thresholds with online recoverability verification, ensuring alarms are raised only when there remains enough time (a window of K steps) to safely recover. The architecture integrates residual calculation, state authentication with bounded error, incremental reachability-based recoverability estimation, and dynamic threshold adjustment that tightens or loosens sensitivity to guarantee recovery while minimizing false alarms. Validation spans vehicle platoon, aircraft pitch, and lane-keeping simulators, plus a physical 4‑wheel testbed, demonstrating zero missed recovery windows across bias, delay, and replay attacks.
[Read more ...]
Blog Post 1: Attacks against PCS
This work presents a unified workflow for securing process control systems that couples
risk assessment, physics-aware detection, and automatic response.
Risk is quantified as expected loss under plausible attack scenarios to prioritize protection of
high-criticality sensors (notably pressure). Detection compares measured outputs with model-based
predictions to form residuals and uses a CUSUM statistic to surface slow, stealthy manipulations.
Upon an alarm, a conservative response replaces compromised measurements with trusted estimates to
keep the plant within constraints until operators intervene.
[Read more ...]
Examples: Machine Learning Applications
Reading tasks
Deep Residual Learning for Image Recognition [ Link ]
Attention Is All You Need [ Link ]
Blog Post 2: Transformer
This paper introduces a novel sequence transduction model architecture named the Transformer.
This architecture is based solely on attention mechanisms, eliminating the need for recursion and convolution.
The model addresses the limitations of sequence models that rely on recursive processes, which perform poorly in parallelization and computational efficiency for longer sequences.
The Transformer adopts an encoder-decoder structure, where the encoder consists of identical layers with multi-head self-attention and fully connected feed-forward networks,
while the decoder mirrors this structure but adds a multi-head attention layer on the encoder's output; utilizing scaled dot-product attention and multi-head attention,
the model computes the importance of key-value pairs based on queries and allows joint attention across different subspaces,
with encoder-decoder attention enabling the decoder to focus on all input positions,
self-attention improving contextual understanding by attending to all positions within layers,
and positional encodings ensuring the model captures the order of tokens in a sequence.
[Read more ...]
Blog Post 1: ResNet
As the number of layers of neural networks increases, the problems of overfitting, gradient vanishing, and gradient explosion often occur, so this article came into being. In this paper, the concept of deep residual networks (ResNets) is proposed. By introducing "shortcut connections," this study solves the problem of gradient vanishing in deep network training and has an important impact on the field of deep learning. The method of the paper explicitly redefines the network layers as learning residual functions relative to the inputs. By learning residuals, the network can be optimized more easily and can train deeper models more efficiently. Therefore, this method can help solve the performance degradation problem that may occur when the network layer increases. In addition, the article displays the experimental part. The model shows significant improvements in handling large-scale visual recognition tasks like ImageNet and CIFAR-10. The application of deep residual networks in major visual recognition competitions like ILSVRC and COCO 2015 further proves their power and wide applicability.
[Read more ...]
|