March 31, 2025 at 6:00PM
Abstract
The development of deep neural networks in the last decad had revolutionized machine learning and led to major improvements in our ability to perform many computational and cognitive tasks. However, this was accompanied by the discovery that deep neural networks are extremely fragile, and it is very easy to fool any neural network by making tiny changes in its inputs. These adversarial examples make it difficult to trust the results of such computations when the input can be manipulated by an adversary, and this problem has many applications and implications in object recognition, autonomous driving, cyber security, etc.
In this talk I will describe a simple conceptual framework which enables us to think about this surprising phenomena from a fresh perspective, turning the existence of adversarial examples in deep neural networks from a baffling mystery into an unavoidable consequence of the geometry of the high dimensional input space. Time permitting, I will then describe several other surprising attacks on the security of deep neural networks, including how one can backdoor state of the art facial recognition systems by mathematically modifying a small fraction of their weights, even though we have no idea what is the purpose and meaning of these weights.
Bio
Adi Shamir (born July 6, 1952, Tel Aviv, Israel) is an Israeli cryptographer and computer scientist and cowinner, with American computer scientists Leonard M. Adleman and Ronald L. Rivest, of the 2002 A.M. Turing Award, the highest honour in computer science
Shamir received a bachelor’s degree (1973) in mathematics from Tel Aviv University and a master’s degree (1975) in computer science and a doctorate (1977) in computer science from the Weizmann Institute. After a year of postdoctoral work in England at the University of Warwick, Shamir pursued research at MIT (1977–80) before joining the Weizmann Institute (1980– ), where he was the Paul and Marlene Borman Professor of Applied Mathematics.
While at MIT, Shamir met Adleman and Rivest, and in 1977 they produced the first public-key encryption system using digital signatures. Their data-encryption scheme relied on the enormous difficulty of factoring the product of two very large prime numbers, which form a cryptographic key. In 1983 they founded RSA Data Security to pursue commercial applications, which led to the creation of VeriSign, a widely used digital-certification system on the Internet. Millions of people use RSA encryption to secure e-mail and other digital transactions.