The immune system serves as a model for defending neural networks against hacks


If a sticker on a banana can make it appear like a toaster, how could strategic vandalism distort how an autonomous vehicle perceives a stop sign? Now, an immune-inspired defense system for neural networks can ward off such attacks, designed by engineers, biologists and mathematicians at the University of Michigan.

Deep neural networks are a subset of machine learning algorithms used for a wide variety of classification problems. These include image identification and machine vision (used by self-driving vehicles and other robots), natural language processing, language translation, and fraud detection. However, it is possible for a nefarious person or group to tweak the input slightly and send the algorithm in the wrong direction, so to speak. To protect the algorithms from such attacks, the Michigan team developed the Robust Immune-Inspired Learning System.

“RAILS represents the first-ever adversarial learning approach that draws inspiration from the adaptive immune system, which works differently from the innate immune system,” said Alfred HeroDistinguished Professor at John H. Holland University, who co-directed the work published in IEEE Access.

While the innate immune system mounts a general attack against pathogens, the mammalian immune system can generate new cells designed to defend against specific pathogens. It turns out that deep neural networks, already inspired by the information processing system of the brain, can also take advantage of this biological process.

“The immune system is built for surprises,” said Indika Rajapakse, associate professor of computational medicine and bioinformatics and co-leader of the study. “He has an incredible design and will always find a solution.”

RAILS works by mimicking the immune system’s natural defenses to identify and ultimately address suspicious neural network inputs. To begin developing it, the biological team studied how the adaptive immune system of mice responded to an antigen. The experiment used the tissues of genetically modified mice that express fluorescent markers on their B cells.

The team created a model of the immune system by culturing cells from the spleen with those from the bone marrow, representing a headquarters and garrison of the immune system. This system allowed the biological team to track B cell development, which begins with a trial-and-error approach to designing a receptor that binds to antigen. Once the B cells converge on a solution, they produce both plasma B cells to capture any antigens present and memory B cells in preparation for the next attack.

Stephen Lindsly, a PhD student in bioinformatics at the time, performed data analysis on the information generated in Rajapakse’s lab and acted as a translator between biologists and engineers. Hero’s team then modeled this biological process on computers, mixing biological mechanisms into the code. They tested the RAILS defenses with conflicting inputs. Next, they compared the learning curve of B cells learning to attack antigens with the algorithm learning to exclude those bad inputs.

“We weren’t sure we really captured the biological process until we compared the learning curves from RAILS to those taken from experiments,” Hero said. “They were exactly the same.”

Not only was this effective biomimicry, but RAILS outperformed two of the most commonly used machine learning processes used to combat adversarial attacks: Robust Deep k-Nearest Neighbor and convolutional neural networks.

“A very promising part of this work is that our general framework can defend against different types of attacks,” said Ren Wang, an electrical and computer engineering researcher who was primarily responsible for developing and implementing the software. .

The researchers used image identification as a test case, evaluating RAILS against eight conflicting attack types across multiple datasets. It showed improvement in all cases, including protection against the most damaging type of enemy attack, known as the Projected Gradient Descent attack. Additionally, RAILS has improved overall accuracy. For example, it allowed to correctly identify an image of a chicken and an ostrich, widely perceived as a cat and a horse, as two birds.

“It’s an amazing example of using math to understand this beautiful dynamic system,” Rajapakse said. “We may be able to take what we’ve learned from RAILS and help reprogram the immune system to work faster.”

Future efforts by the Hero team will focus on reducing response time from milliseconds to microseconds.

Hero is also the R. Jamison and Betty Williams Professor of Engineering and Professor of Electrical Engineering and Computer Science, Biomedical Engineering, and Statistics. Rajapakse is also an Associate Professor of Mathematics and Biomedical Engineering. Lindsly is now at MathWorks.

The project was funded by the Department of Defense, the Defense Advanced Research Projects Agency and the Army Research Office.

More information:


Comments are closed.