Andrey Morozov

Mohamed Abdelmaksoud, Sheng Ding, Andrey Morozov et al.

Time-series data vary widely across domains, making a universal anomaly detector impractical. Methods that perform well on one dataset often fail to transfer because what counts as an anomaly is context dependent. The key challenge is to design a method that performs well in specific contexts while remaining adaptable across domains with varying data complexities. We present the Robust and Adaptive Model Selection for Time-Series Anomaly Detection RAMSeS framework. RAMSeS comprises two branches: (i) a stacking ensemble optimized with a genetic algorithm to leverage complementary detectors. (ii) An adaptive model-selection branch identifies the best single detector using techniques including Thompson sampling, robustness testing with generative adversarial networks, and Monte Carlo simulations. This dual strategy exploits the collective strength of multiple models and adapts to dataset-specific characteristics. We evaluate RAMSeS and show that it outperforms prior methods on F1.

Georg Siedel, Silvia Vock, Andrey Morozov et al.

Robustness is a fundamental pillar of Machine Learning (ML) classifiers, substantially determining their reliability. Methods for assessing classifier robustness are therefore essential. In this work, we address the challenge of evaluating corruption robustness in a way that allows comparability and interpretability on a given dataset. We propose a test data augmentation method that uses a robustness distance $ε$ derived from the datasets minimal class separation distance. The resulting MSCR (minimal separation corruption robustness) metric allows a dataset-specific comparison of different classifiers with respect to their corruption robustness. The MSCR value is interpretable, as it represents the classifiers avoidable loss of accuracy due to statistical corruptions. On 2D and image data, we show that the metric reflects different levels of classifier robustness. Furthermore, we observe unexpected optima in classifiers robust accuracy through training and testing classifiers with different levels of noise. While researchers have frequently reported on a significant tradeoff on accuracy when training robust models, we strengthen the view that a tradeoff between accuracy and corruption robustness is not inherent. Our results indicate that robustness training through simple data augmentation can already slightly improve accuracy.

Thorben Schey, Khaled Karoonlatifi, Michael Weyrich et al.

This paper introduces a novel closed-loop testing methodology for efficient linearity testing of high-resolution Successive Approximation Register (SAR) Analog-to-Digital Converters (ADCs). Existing test strategies, including histogram-based approaches, sine wave testing, and model-driven reconstruction, often rely on dense data acquisition followed by offline post-processing, which increases overall test time and complexity. To overcome these limitations, we propose an adaptive approach that utilizes an iterative behavioral model refined by an Extended Kalman Filter (EKF) in real time, enabling direct estimation of capacitor mismatch parameters that determine INL behavior. Our algorithm dynamically selects measurement points based on current model uncertainty, maximizing information gain with respect to parameter confidence and narrowing sampling intervals as estimation progresses. By providing immediate feedback and adaptive targeting, the proposed method eliminates the need for large-scale data collection and post-measurement analysis. Experimental results demonstrate substantial reductions in total test time and computational overhead, highlighting the method's suitability for integration in production environments.

Thorben Schey, Khaled Karoonlatifi, Michael Weyrich et al.

This paper builds on our Uncertainty-Guided Live Measurement Sequencing (UGLMS) method. UGLMS is a closed-loop test strategy that adaptively selects SAR ADC code edges based on model uncertainty and refines a behavioral mismatch model in real time via an Extended Kalman Filter (EKF), eliminating full-range sweeps and offline post-processing. We introduce an enhanced UGLMS that delivers significantly faster test runtimes while maintaining estimation accuracy. First, a rank-1 EKF update replaces costly matrix inversions with efficient vector operations, and a measurement-aligned covariance-inflation strategy accelerates convergence under unexpected innovations. Second, we extend the static mismatch model with a low-order carrier polynomial to capture systematic nonlinearities beyond pure capacitor mismatch. Third, a trace-based termination adapts test length to convergence, preventing premature stops and redundant iterations. Simulations show the enhanced UGLMS reconstructs full Integral- and Differential-Non-Linearity (INL/DNL) in just 36 ms for 16-bit and under 70 ms for 18-bit ADCs (120 ms with the polynomial extension). Combining the faster convergence from covariance inflation with reduced per-iteration runtime from the rank-1 EKF update, the method reaches equal accuracy 8x faster for 16-bit ADCs. These improvements enable real-time, production-ready SAR ADC linearity testing.

Georg Siedel, Ekagra Gupta, Andrey Morozov

Robustness is critical for machine learning (ML) classifiers to ensure consistent performance in real-world applications where models may encounter corrupted or adversarial inputs. In particular, assessing the robustness of classifiers to adversarial inputs is essential to protect systems from vulnerabilities and thus ensure safety in use. However, methods to accurately compute adversarial robustness have been challenging for complex ML models and high-dimensional data. Furthermore, evaluations typically measure adversarial accuracy on specific attack budgets, limiting the informative value of the resulting metrics. This paper investigates the estimation of the more informative adversarial distance using iterative adversarial attacks and a certification approach. Combined, the methods provide a comprehensive evaluation of adversarial robustness by computing estimates for the upper and lower bounds of the adversarial distance. We present visualisations and ablation studies that provide insights into how this evaluation method should be applied and parameterised. We find that our adversarial attack approach is effective compared to related implementations, while the certification method falls short of expectations. The approach in this paper should encourage a more informative way of evaluating the adversarial robustness of ML classifiers.

Georg Siedel, Rojan Regmi, Abhirami Anand et al.

This paper proposes a training data augmentation pipeline that combines synthetic image data with neural style transfer in order to address the vulnerability of deep vision models to common corruptions. We show that although applying style transfer on synthetic images degrades their quality with respect to the common Frechet Inception Distance (FID) metric, these images are surprisingly beneficial for model training. We conduct a systematic empirical analysis of the effects of both augmentations and their key hyperparameters on the performance of image classifiers. Our results demonstrate that stylization and synthetic data complement each other well and can be combined with popular rule-based data augmentation techniques such as TrivialAugment, while not working with others. Our method achieves state-of-the-art corruption robustness on several small-scale image classification benchmarks, reaching 93.54%, 74.9% and 50.86% robust accuracy on CIFAR-10-C, CIFAR-100-C and TinyImageNet-C, respectively

Georg Siedel, Ekagra Gupta, Weijia Shao et al.

Soft augmentation regularizes the supervised learning process of image classifiers by reducing label confidence of a training sample based on the magnitude of random-crop augmentation applied to it. This paper extends this adaptive label smoothing framework to other types of aggressive augmentations beyond random-crop. Specifically, we demonstrate the effectiveness of the method for random erasing and noise injection data augmentation. Adaptive label smoothing permits stronger regularization via higher-intensity Random Erasing. However, its benefits vanish when applied with a diverse range of image transformations as in the state-of-the-art TrivialAugment method, and excessive label smoothing harms robustness to common corruptions. Our findings suggest that adaptive label smoothing should only be applied when the training data distribution is dominated by a limited, homogeneous set of image transformation types.

Georg Siedel, Weijia Shao, Silvia Vock et al.

Robustness is a fundamental property of machine learning classifiers required to achieve safety and reliability. In the field of adversarial robustness of image classifiers, robustness is commonly defined as the stability of a model to all input changes within a p-norm distance. However, in the field of random corruption robustness, variations observed in the real world are used, while p-norm corruptions are rarely considered. This study investigates the use of random p-norm corruptions to augment the training and test data of image classifiers. We evaluate the model robustness against imperceptible random p-norm corruptions and propose a novel robustness metric. We empirically investigate whether robustness transfers across different p-norms and derive conclusions on which p-norm corruptions a model should be trained and evaluated. We find that training data augmentation with a combination of p-norm corruptions significantly improves corruption robustness, even on top of state-of-the-art data augmentation schemes.

Michael Beyer, Andrey Morozov, Emil Valiev et al.

Today, Deep Learning (DL) enhances almost every industrial sector, including safety-critical areas. The next generation of safety standards will define appropriate verification techniques for DL-based applications and propose adequate fault tolerance mechanisms. DL-based applications, like any other software, are susceptible to common random hardware faults such as bit flips, which occur in RAM and CPU registers. Such faults can lead to silent data corruption. Therefore, it is crucial to develop methods and tools that help to evaluate how DL components operate under the presence of such faults. In this paper, we introduce two new Fault Injection (FI) frameworks InjectTF and InjectTF2 for TensorFlow 1 and TensorFlow 2, respectively. Both frameworks are available on GitHub and allow the configurable injection of random faults into Neural Networks (NN). In order to demonstrate the feasibility of the frameworks, we also present the results of FI experiments conducted on four VGG-based Convolutional NNs using two image sets. The results demonstrate how random bit flips in the output of particular mathematical operations and layers of NNs affect the classification accuracy. These results help to identify the most critical operations and layers, compare the reliability characteristics of functionally similar NNs, and introduce selective fault tolerance mechanisms.