About

Cho-Jui Hsieh is an Associate Professor of Computer Science at UCLA Samueli School of Engineering. His research interests include machine learning, data mining, optimization, and adversarial deep learning. He has received numerous awards for his contributions, including the Okawa Foundation Research Award, the ICLR Outstanding Paper Award, and the NSF CAREER Award, among others. Hsieh earned his PhD from the University of Texas at Austin in 2015. His work focuses on advancing artificial intelligence through innovative research in neural network verification, efficient natural language processing, and related fields.

Research topics

• Computer Science
• Artificial Intelligence
• Machine Learning
• Engineering
• Human–computer interaction
• Mathematics

Selected publications

• Adversary detection

  Elsevier eBooks · 2022

  Senior authorCorresponding
  • Computer Science
  • Computer Science
  DOI

• Model reprogramming

  Elsevier eBooks · 2022 · 4 citations

  Senior authorCorresponding
  • Computer Science
  • Computer Science
  • Artificial Intelligence
  DOI

• Robust Text CAPTCHAs Using Adversarial Examples

  2021 IEEE International Conference on Big Data (Big Data) · 2022 · 17 citations

  Senior authorCorresponding
  • Computer Science
  • Computer Science
  • Artificial Intelligence

  CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a widely used technology to distinguish real users and automated users such as bots. However, the advance of AI technologies weakens many CAPTCHA tests and can induce security concerns. In this paper, we propose a user-friendly text-based CAPTCHA generation method named Robust Text CAPTCHA (RTC). At the first stage, the foregrounds and backgrounds are constructed with font and background images respectively sampled from font and image libraries, and they are then synthesized into identifiable pseudo adversarial CAPTCHAs. At the second stage, we utilize a highly transferable adversarial attack designed for text CAPTCHAs to better obstruct CAPTCHA solvers. Our experiments cover comprehensive models including shallow models such as KNN, SVM and random forest, as well as various deep neural networks and OCR models. Experiments show that our CAPTCHAs have a failure rate lower than one millionth in general and high usability. They are also robust against various defensive techniques that attackers may employ, including adversarially trained CAPTCHA solvers and solvers trained with collected RTCs using manual annotation. Codes available at https://github.com/RulinShao/RTC.

  DOI

• ML-LOO: Detecting Adversarial Examples with Feature Attribution

  Proceedings of the AAAI Conference on Artificial Intelligence · 2020 · 88 citations

  • Computer Science
  • Computer Science
  • Artificial Intelligence

  Deep neural networks obtain state-of-the-art performance on a series of tasks. However, they are easily fooled by adding a small adversarial perturbation to the input. The perturbation is often imperceptible to humans on image data. We observe a significant difference in feature attributions between adversarially crafted examples and original examples. Based on this observation, we introduce a new framework to detect adversarial examples through thresholding a scale estimate of feature attribution scores. Furthermore, we extend our method to include multi-layer feature attributions in order to tackle attacks that have mixed confidence levels. As demonstrated in extensive experiments, our method achieves superior performances in distinguishing adversarial examples from popular attack methods on a variety of real data sets compared to state-of-the-art detection methods. In particular, our method is able to detect adversarial examples of mixed confidence levels, and transfer between different attacking methods. We also show that our method achieves competitive performance even when the attacker has complete access to the detector.

  PublisherOA PDFDOI

• Robust Deep Reinforcement Learning against Adversarial Perturbations on\n State Observations

  arXiv (Cornell University) · 2020 · 111 citations

  • Computer Science
  • Artificial Intelligence
  • Computer Science

  A deep reinforcement learning (DRL) agent observes its states through\nobservations, which may contain natural measurement errors or adversarial\nnoises. Since the observations deviate from the true states, they can mislead\nthe agent into making suboptimal actions. Several works have shown this\nvulnerability via adversarial attacks, but existing approaches on improving the\nrobustness of DRL under this setting have limited success and lack for\ntheoretical principles. We show that naively applying existing techniques on\nimproving robustness for classification tasks, like adversarial training, is\nineffective for many RL tasks. We propose the state-adversarial Markov decision\nprocess (SA-MDP) to study the fundamental properties of this problem, and\ndevelop a theoretically principled policy regularization which can be applied\nto a large family of DRL algorithms, including proximal policy optimization\n(PPO), deep deterministic policy gradient (DDPG) and deep Q networks (DQN), for\nboth discrete and continuous action control problems. We significantly improve\nthe robustness of PPO, DDPG and DQN agents under a suite of strong white box\nadversarial attacks, including new attacks of our own. Additionally, we find\nthat a robust policy noticeably improves DRL performance even without an\nadversary in a number of environments. Our code is available at\nhttps://github.com/chenhongge/StateAdvDRL.\n

  DOI

• Emotional EEG classification using connectivity features and convolutional neural networks

  Neural Networks · 2020 · 92 citations

  • Computer Science
  • Artificial Intelligence
  • Computer Science
  PublisherOA PDFDOI

• Learning to Encode Position for Transformer with Continuous Dynamical\n Model

  arXiv (Cornell University) · 2020 · 56 citations

  • Computer Science
  • Artificial Intelligence
  • Computer Science

  We introduce a new way of learning to encode position information for\nnon-recurrent models, such as Transformer models. Unlike RNN and LSTM, which\ncontain inductive bias by loading the input tokens sequentially, non-recurrent\nmodels are less sensitive to position. The main reason is that position\ninformation among input units is not inherently encoded, i.e., the models are\npermutation equivalent; this problem justifies why all of the existing models\nare accompanied by a sinusoidal encoding/embedding layer at the input. However,\nthis solution has clear limitations: the sinusoidal encoding is not flexible\nenough as it is manually designed and does not contain any learnable\nparameters, whereas the position embedding restricts the maximum length of\ninput sequences. It is thus desirable to design a new position layer that\ncontains learnable parameters to adjust to different datasets and different\narchitectures. At the same time, we would also like the encodings to\nextrapolate in accordance with the variable length of inputs. In our proposed\nsolution, we borrow from the recent Neural ODE approach, which may be viewed as\na versatile continuous version of a ResNet. This model is capable of modeling\nmany kinds of dynamical systems. We model the evolution of encoded results\nalong position index by such a dynamical system, thereby overcoming the above\nlimitations of existing methods. We evaluate our new position layers on a\nvariety of neural machine translation and language understanding tasks, the\nexperimental results show consistent improvements over the baselines.\n

  DOI

Recent grants

• Collaborative Research: SLES: Verifying and Enforcing Safety Constraints in AI-based Sequential Generation

  NSF · $540k · 2023–2026

• CAREER: Robustness Verification and Certified Defense for Machine Learning Models

  NSF · $516k · 2021–2027

• RI: Small: Learning to Optimize: Designing and Improving Optimizers by Machine Learning Algorithms

  NSF · $450k · 2020–2023

Frequent coauthors

• Pin‐Yu Chen

  3 shared

• Devaansh Gupta

  Aalto University

  1 shared

• Thomas C. M. Lee

  University of California, Davis

  1 shared

• Siddhant Kharbanda

  University of California, Los Angeles

  1 shared

• Zhouxing Shi

  1 shared

• Rohit Babbar

  1 shared

• Pankaj Malhotra

  Post Graduate Institute of Medical Education and Research

  1 shared

• Xiawei Wang

  First Affiliated Hospital Zhejiang University

  1 shared

Awards & honors

• Okawa Foundation Research Award, 2021
• VNN-COMP | Verification of Neural Networks Competition Award…
• ICLR Outstanding Paper Award, 2021
• Google Research Scholar Award, 2021
• NSF CAREER Award, 2021

Similar researchers at University of California, Los Angeles

• Antoni Ribash-218
• Timothy Cloughesyh-173
• Owen Witteh-170
• Yu Huangh-166
• David S. Eisenbergh-159