-
Optimal congestion control strategies for near-capacity urban metros: informing intervention via fundamental diagrams
Authors:
Anupriya,
Daniel J. Graham,
Prateek Bansal,
Daniel Hörcher,
Richard Anderson
Abstract:
Congestion; operational delays due to a vicious circle of passenger-congestion and train-queuing; is an escalating problem for metro systems because it has negative consequences from passenger discomfort to eventual mode-shifts. Congestion arises due to large volumes of passenger boardings and alightings at bottleneck stations, which may lead to increased stopping times at stations and consequent…
▽ More
Congestion; operational delays due to a vicious circle of passenger-congestion and train-queuing; is an escalating problem for metro systems because it has negative consequences from passenger discomfort to eventual mode-shifts. Congestion arises due to large volumes of passenger boardings and alightings at bottleneck stations, which may lead to increased stopping times at stations and consequent queuing of trains upstream, further reducing line throughput and implying an even greater accumulation of passengers at stations. Alleviating congestion requires control strategies such as regulating the inflow of passengers entering bottleneck stations. The availability of large-scale smartcard and train movement data from day-to-day operations facilitates the development of models that can inform such strategies in a data-driven way. In this paper, we propose to model station-level passenger-congestion via empirical passenger boarding-alightings and train flow relationships, henceforth, fundamental diagrams (FDs). We emphasise that estimating FDs using station-level data is empirically challenging due to confounding biases arising from the interdependence of operations at different stations, which obscures the true sources of congestion in the network. We thus adopt a causal statistical modelling approach to produce FDs that are robust to confounding and as such suitable to properly inform control strategies. The closest antecedent to the proposed model is the FD for road traffic networks, which informs traffic management strategies, for instance, via locating the optimum operation point. Our analysis of data from the Mass Transit Railway, Hong Kong indicates the existence of concave FDs at identified bottleneck stations, and an associated critical level of boarding-alightings above which congestion sets-in unless there is an intervention.
△ Less
Submitted 14 February, 2022; v1 submitted 24 November, 2020;
originally announced November 2020.
-
Reinforcement Learning with Combinatorial Actions: An Application to Vehicle Routing
Authors:
Arthur Delarue,
Ross Anderson,
Christian Tjandraatmadja
Abstract:
Value-function-based methods have long played an important role in reinforcement learning. However, finding the best next action given a value function of arbitrary complexity is nontrivial when the action space is too large for enumeration. We develop a framework for value-function-based deep reinforcement learning with a combinatorial action space, in which the action selection problem is explic…
▽ More
Value-function-based methods have long played an important role in reinforcement learning. However, finding the best next action given a value function of arbitrary complexity is nontrivial when the action space is too large for enumeration. We develop a framework for value-function-based deep reinforcement learning with a combinatorial action space, in which the action selection problem is explicitly formulated as a mixed-integer optimization problem. As a motivating example, we present an application of this framework to the capacitated vehicle routing problem (CVRP), a combinatorial optimization problem in which a set of locations must be covered by a single vehicle with limited capacity. On each instance, we model an action as the construction of a single route, and consider a deterministic policy which is improved through a simple policy iteration algorithm. Our approach is competitive with other reinforcement learning methods and achieves an average gap of 1.7% with state-of-the-art OR methods on standard library instances of medium size.
△ Less
Submitted 22 October, 2020;
originally announced October 2020.
-
The Convex Relaxation Barrier, Revisited: Tightened Single-Neuron Relaxations for Neural Network Verification
Authors:
Christian Tjandraatmadja,
Ross Anderson,
Joey Huchette,
Will Ma,
Krunal Patel,
Juan Pablo Vielma
Abstract:
We improve the effectiveness of propagation- and linear-optimization-based neural network verification algorithms with a new tightened convex relaxation for ReLU neurons. Unlike previous single-neuron relaxations which focus only on the univariate input space of the ReLU, our method considers the multivariate input space of the affine pre-activation function preceding the ReLU. Using results from…
▽ More
We improve the effectiveness of propagation- and linear-optimization-based neural network verification algorithms with a new tightened convex relaxation for ReLU neurons. Unlike previous single-neuron relaxations which focus only on the univariate input space of the ReLU, our method considers the multivariate input space of the affine pre-activation function preceding the ReLU. Using results from submodularity and convex geometry, we derive an explicit description of the tightest possible convex relaxation when this multivariate input is over a box domain. We show that our convex relaxation is significantly stronger than the commonly used univariate-input relaxation which has been proposed as a natural convex relaxation barrier for verification. While our description of the relaxation may require an exponential number of inequalities, we show that they can be separated in linear time and hence can be efficiently incorporated into optimization algorithms on an as-needed basis. Based on this novel relaxation, we design two polynomial-time algorithms for neural network verification: a linear-programming-based algorithm that leverages the full power of our relaxation, and a fast propagation algorithm that generalizes existing approaches. In both cases, we show that for a modest increase in computational effort, our strengthened relaxation enables us to verify a significantly larger number of instances compared to similar algorithms.
△ Less
Submitted 22 October, 2020; v1 submitted 24 June, 2020;
originally announced June 2020.
-
Sponge Examples: Energy-Latency Attacks on Neural Networks
Authors:
Ilia Shumailov,
Yiren Zhao,
Daniel Bates,
Nicolas Papernot,
Robert Mullins,
Ross Anderson
Abstract:
The high energy costs of neural network training and inference led to the use of acceleration hardware such as GPUs and TPUs. While this enabled us to train large-scale neural networks in datacenters and deploy them on edge devices, the focus so far is on average-case performance. In this work, we introduce a novel threat vector against neural networks whose energy consumption or decision latency…
▽ More
The high energy costs of neural network training and inference led to the use of acceleration hardware such as GPUs and TPUs. While this enabled us to train large-scale neural networks in datacenters and deploy them on edge devices, the focus so far is on average-case performance. In this work, we introduce a novel threat vector against neural networks whose energy consumption or decision latency are critical. We show how adversaries can exploit carefully crafted $\boldsymbol{sponge}~\boldsymbol{examples}$, which are inputs designed to maximise energy consumption and latency.
We mount two variants of this attack on established vision and language models, increasing energy consumption by a factor of 10 to 200. Our attacks can also be used to delay decisions where a network has critical real-time performance, such as in perception for autonomous vehicles. We demonstrate the portability of our malicious inputs across CPUs and a variety of hardware accelerator chips including GPUs, and an ASIC simulator. We conclude by proposing a defense strategy which mitigates our attack by shifting the analysis of energy consumption in hardware from an average-case to a worst-case perspective.
△ Less
Submitted 12 May, 2021; v1 submitted 5 June, 2020;
originally announced June 2020.
-
Towards Certifiable Adversarial Sample Detection
Authors:
Ilia Shumailov,
Yiren Zhao,
Robert Mullins,
Ross Anderson
Abstract:
Convolutional Neural Networks (CNNs) are deployed in more and more classification systems, but adversarial samples can be maliciously crafted to trick them, and are becoming a real threat. There have been various proposals to improve CNNs' adversarial robustness but these all suffer performance penalties or other limitations. In this paper, we provide a new approach in the form of a certifiable ad…
▽ More
Convolutional Neural Networks (CNNs) are deployed in more and more classification systems, but adversarial samples can be maliciously crafted to trick them, and are becoming a real threat. There have been various proposals to improve CNNs' adversarial robustness but these all suffer performance penalties or other limitations. In this paper, we provide a new approach in the form of a certifiable adversarial detection scheme, the Certifiable Taboo Trap (CTT). The system can provide certifiable guarantees of detection of adversarial inputs for certain $l_{\infty}$ sizes on a reasonable assumption, namely that the training data have the same distribution as the test data. We develop and evaluate several versions of CTT with a range of defense capabilities, training overheads and certifiability on adversarial samples. Against adversaries with various $l_p$ norms, CTT outperforms existing defense methods that focus purely on improving network robustness. We show that CTT has small false positive rates on clean test data, minimal compute overheads when deployed, and can support complex security policies.
△ Less
Submitted 20 February, 2020;
originally announced February 2020.
-
Drift, Minorization, and Hitting Times
Authors:
Robert M. Anderson,
Haosui Duanmu,
Aaron Smith,
Jun Yang
Abstract:
The "drift-and-minorization" method, introduced and popularized in (Rosenthal, 1995; Meyn and Tweedie, 1994; Meyn and Tweedie, 2012), remains the most popular approach for bounding the convergence rates of Markov chains used in statistical computation. This approach requires estimates of two quantities: the rate at which a single copy of the Markov chain "drifts" towards a fixed "small set", and a…
▽ More
The "drift-and-minorization" method, introduced and popularized in (Rosenthal, 1995; Meyn and Tweedie, 1994; Meyn and Tweedie, 2012), remains the most popular approach for bounding the convergence rates of Markov chains used in statistical computation. This approach requires estimates of two quantities: the rate at which a single copy of the Markov chain "drifts" towards a fixed "small set", and a "minorization condition" which gives the worst-case time for two Markov chains started within the small set to couple with moderately large probability. In this paper, we build on (Oliveira, 2012; Peres and Sousi, 2015) and our work (Anderson, Duanmu, Smith, 2019a; Anderson, Duanmu, Smith, 2019b) to replace the "minorization condition" with an alternative "hitting condition" that is stated in terms of only one Markov chain, and illustrate how this can be used to obtain similar bounds that can be easier to use.
△ Less
Submitted 1 June, 2020; v1 submitted 13 October, 2019;
originally announced October 2019.
-
CAQL: Continuous Action Q-Learning
Authors:
Moonkyung Ryu,
Yinlam Chow,
Ross Anderson,
Christian Tjandraatmadja,
Craig Boutilier
Abstract:
Value-based reinforcement learning (RL) methods like Q-learning have shown success in a variety of domains. One challenge in applying Q-learning to continuous-action RL problems, however, is the continuous action maximization (max-Q) required for optimal Bellman backup. In this work, we develop CAQL, a (class of) algorithm(s) for continuous-action Q-learning that can use several plug-and-play opti…
▽ More
Value-based reinforcement learning (RL) methods like Q-learning have shown success in a variety of domains. One challenge in applying Q-learning to continuous-action RL problems, however, is the continuous action maximization (max-Q) required for optimal Bellman backup. In this work, we develop CAQL, a (class of) algorithm(s) for continuous-action Q-learning that can use several plug-and-play optimizers for the max-Q problem. Leveraging recent optimization results for deep neural networks, we show that max-Q can be solved optimally using mixed-integer programming (MIP). When the Q-function representation has sufficient power, MIP-based optimization gives rise to better policies and is more robust than approximate methods (e.g., gradient ascent, cross-entropy search). We further develop several techniques to accelerate inference in CAQL, which despite their approximate nature, perform well. We compare CAQL with state-of-the-art RL algorithms on benchmark continuous-control problems that have different degrees of action constraints and show that CAQL outperforms policy-based methods in heavily constrained environments, often dramatically.
△ Less
Submitted 28 February, 2020; v1 submitted 26 September, 2019;
originally announced September 2019.
-
Blackbox Attacks on Reinforcement Learning Agents Using Approximated Temporal Information
Authors:
Yiren Zhao,
Ilia Shumailov,
Han Cui,
Xitong Gao,
Robert Mullins,
Ross Anderson
Abstract:
Recent research on reinforcement learning (RL) has suggested that trained agents are vulnerable to maliciously crafted adversarial samples. In this work, we show how such samples can be generalised from White-box and Grey-box attacks to a strong Black-box case, where the attacker has no knowledge of the agents, their training parameters and their training methods. We use sequence-to-sequence model…
▽ More
Recent research on reinforcement learning (RL) has suggested that trained agents are vulnerable to maliciously crafted adversarial samples. In this work, we show how such samples can be generalised from White-box and Grey-box attacks to a strong Black-box case, where the attacker has no knowledge of the agents, their training parameters and their training methods. We use sequence-to-sequence models to predict a single action or a sequence of future actions that a trained agent will make. First, we show our approximation model, based on time-series information from the agent, consistently predicts RL agents' future actions with high accuracy in a Black-box setup on a wide range of games and RL algorithms. Second, we find that although adversarial samples are transferable from the target model to our RL agents, they often outperform random Gaussian noise only marginally. This highlights a serious methodological deficiency in previous work on such agents; random jamming should have been taken as the baseline for evaluation. Third, we propose a novel use for adversarial samplesin Black-box attacks of RL agents: they can be used to trigger a trained agent to misbehave after a specific time delay. This appears to be a genuinely new type of attack. It potentially enables an attacker to use devices controlled by RL agents as time bombs.
△ Less
Submitted 21 November, 2019; v1 submitted 6 September, 2019;
originally announced September 2019.
-
Recurring Concept Meta-learning for Evolving Data Streams
Authors:
Robert Anderson,
Yun Sing Koh,
Gillian Dobbie,
Albert Bifet
Abstract:
When concept drift is detected during classification in a data stream, a common remedy is to retrain a framework's classifier. However, this loses useful information if the classifier has learnt the current concept well, and this concept will recur again in the future. Some frameworks retain and reuse classifiers, but it can be time-consuming to select an appropriate classifier to reuse. These fra…
▽ More
When concept drift is detected during classification in a data stream, a common remedy is to retrain a framework's classifier. However, this loses useful information if the classifier has learnt the current concept well, and this concept will recur again in the future. Some frameworks retain and reuse classifiers, but it can be time-consuming to select an appropriate classifier to reuse. These frameworks rarely match the accuracy of state-of-the-art ensemble approaches. For many data stream tasks, speed is important: fast, accurate frameworks are needed for time-dependent applications. We propose the Enhanced Concept Profiling Framework (ECPF), which aims to recognise recurring concepts and reuse a classifier trained previously, enabling accurate classification immediately following a drift. The novelty of ECPF is in how it uses similarity of classifications on new data, between a new classifier and existing classifiers, to quickly identify the best classifier to reuse. It always trains both a new classifier and a reused classifier, and retains the more accurate classifier when concept drift occurs. Finally, it creates a copy of reused classifiers, so a classifier well-suited for a recurring concept will not be impacted by being trained on a different concept. In our experiments, ECPF classifies significantly more accurately than a state-of-the-art classifier reuse framework (Diversity Pool) and a state-of-the-art ensemble technique (Adaptive Random Forest) on synthetic datasets with recurring concepts. It classifies real-world datasets five times faster than Diversity Pool, and six times faster than Adaptive Random Forest and is not significantly less accurate than either.
△ Less
Submitted 21 May, 2019;
originally announced May 2019.
-
Improving Mechanical Ventilator Clinical Decision Support Systems with A Machine Learning Classifier for Determining Ventilator Mode
Authors:
Gregory B. Rehm,
Brooks T. Kuhn,
Jimmy Nguyen,
Nicholas R. Anderson,
Chen-Nee Chuah,
Jason Y. Adams
Abstract:
Clinical decision support systems (CDSS) will play an in-creasing role in improving the quality of medical care for critically ill patients. However, due to limitations in current informatics infrastructure, CDSS do not always have com-plete information on state of supporting physiologic monitor-ing devices, which can limit the input data available to CDSS. This is especially true in the use case…
▽ More
Clinical decision support systems (CDSS) will play an in-creasing role in improving the quality of medical care for critically ill patients. However, due to limitations in current informatics infrastructure, CDSS do not always have com-plete information on state of supporting physiologic monitor-ing devices, which can limit the input data available to CDSS. This is especially true in the use case of mechanical ventilation (MV), where current CDSS have no knowledge of critical ventilation settings, such as ventilation mode. To enable MV CDSS to make accurate recommendations related to ventilator mode, we developed a highly performant ma-chine learning model that is able to perform per-breath clas-sification of 5 of the most widely used ventilation modes in the USA with an average F1-score of 97.52%. We also show how our approach makes methodologic improvements over previous work and that it is highly robust to missing data caused by software/sensor error.
△ Less
Submitted 29 April, 2019;
originally announced April 2019.
-
Sitatapatra: Blocking the Transfer of Adversarial Samples
Authors:
Ilia Shumailov,
Xitong Gao,
Yiren Zhao,
Robert Mullins,
Ross Anderson,
Cheng-Zhong Xu
Abstract:
Convolutional Neural Networks (CNNs) are widely used to solve classification tasks in computer vision. However, they can be tricked into misclassifying specially crafted `adversarial' samples -- and samples built to trick one model often work alarmingly well against other models trained on the same task. In this paper we introduce Sitatapatra, a system designed to block the transfer of adversarial…
▽ More
Convolutional Neural Networks (CNNs) are widely used to solve classification tasks in computer vision. However, they can be tricked into misclassifying specially crafted `adversarial' samples -- and samples built to trick one model often work alarmingly well against other models trained on the same task. In this paper we introduce Sitatapatra, a system designed to block the transfer of adversarial samples. It diversifies neural networks using a key, as in cryptography, and provides a mechanism for detecting attacks. What's more, when adversarial samples are detected they can typically be traced back to the individual device that was used to develop them. The run-time overheads are minimal permitting the use of Sitatapatra on constrained systems.
△ Less
Submitted 21 November, 2019; v1 submitted 23 January, 2019;
originally announced January 2019.
-
The Taboo Trap: Behavioural Detection of Adversarial Samples
Authors:
Ilia Shumailov,
Yiren Zhao,
Robert Mullins,
Ross Anderson
Abstract:
Deep Neural Networks (DNNs) have become a powerful toolfor a wide range of problems. Yet recent work has found an increasing variety of adversarial samplesthat can fool them. Most existing detection mechanisms against adversarial attacksimpose significant costs, either by using additional classifiers to spot adversarial samples, or by requiring the DNN to be restructured. In this paper, we introdu…
▽ More
Deep Neural Networks (DNNs) have become a powerful toolfor a wide range of problems. Yet recent work has found an increasing variety of adversarial samplesthat can fool them. Most existing detection mechanisms against adversarial attacksimpose significant costs, either by using additional classifiers to spot adversarial samples, or by requiring the DNN to be restructured. In this paper, we introduce a novel defence. We train our DNN so that, as long as it is workingas intended on the kind of inputs we expect, its behavior is constrained, in that some set of behaviors are taboo. If it is exposed to adversarial samples, they will often cause a taboo behavior, which we can detect. Taboos can be both subtle and diverse, so their choice can encode and hide information. It is a well-established design principle that the security of a system should not depend on the obscurity of its design, but on some variable (the key) which can differ between implementations and bechanged as necessary. We discuss how taboos can be used to equip a classifier with just such a key, and how to tune the keying mechanism to adversaries of various capabilities. We evaluate the performance of a prototype against a wide range of attacks and show how our simple defense can defend against cheap attacks at scale with zero run-time computation overhead, making it a suitable defense method for IoT devices.
△ Less
Submitted 21 November, 2019; v1 submitted 18 November, 2018;
originally announced November 2018.
-
Approximate maximum likelihood estimation using data-cloning ABC
Authors:
Umberto Picchini,
Rachele Anderson
Abstract:
A maximum likelihood methodology for a general class of models is presented, using an approximate Bayesian computation (ABC) approach. The typical target of ABC methods are models with intractable likelihoods, and we combine an ABC-MCMC sampler with so-called "data cloning" for maximum likelihood estimation. Accuracy of ABC methods relies on the use of a small threshold value for comparing simulat…
▽ More
A maximum likelihood methodology for a general class of models is presented, using an approximate Bayesian computation (ABC) approach. The typical target of ABC methods are models with intractable likelihoods, and we combine an ABC-MCMC sampler with so-called "data cloning" for maximum likelihood estimation. Accuracy of ABC methods relies on the use of a small threshold value for comparing simulations from the model and observed data. The proposed methodology shows how to use large threshold values, while the number of data-clones is increased to ease convergence towards an approximate maximum likelihood estimate. We show how to exploit the methodology to reduce the number of iterations of a standard ABC-MCMC algorithm and therefore reduce the computational effort, while obtaining reasonable point estimates. Simulation studies show the good performance of our approach on models with intractable likelihoods such as g-and-k distributions, stochastic differential equations and state-space models.
△ Less
Submitted 11 August, 2016; v1 submitted 23 May, 2015;
originally announced May 2015.
