Robin Schmitt

My work experience

At the moment, I am working as a data scientist at Mercedes-Benz,
more precisely on the #HeyMercedes in-car voice assistant.
My responsibilities include:

Data engineering

End-to-end responsibility for data collection pipeline
Technologies: PySpark, Databricks, SQL

User research

Conducting user research utilising customer data to gain strategic insights, providing BI tools
Technologies: Python, PowerBI

Machine learning

Applying machine learning algorithms on sequential interaction data to improve our voice assistant
Technologies: Python, Jupyter Notebooks, pm4py, sklearn, spacy, pymc3

A full tabular cv of all my positions within Mercedes-Benz is found here:

To - From	Occupation
now - 2021	Data scientist for the Mercedes-Benz voice assistant: End-to-end responsibility for data collection pipeline Conducting user research utilising customer data to gain strategic insights Applying machine learning algorithms on sequential interaction data to improve our voice assistant
2021 - 2018	Development engineer for hard- and software: System architecture and strategy for in-vehicle infotainment Multi-factor optimisation of future infotainment architectures based on historical data utilising predictive models
2018 - 2015	Project engineer in quality management: Quality and maturity management in vehicle development projects Integrating module maturity reports into actionable project reports

My academic career

In 2022, I graduated as Master of Science in the field of Data Science at Albstadt-Sigmaringen University.
Since then, I am continuously taking courses to further improve my skills in relevant areas. Beginning in August 2023, I joined the King's College London as visiting researcher to work on metabolomics, single cell RNA sequencing data and risk score prediction. The first publication to which I contributed has been published in the European Journal of Heart Failure: Serum metabolomics improves risk stratification for incident heart failure.
Initially, I studied Mechanical Engineering (Bachelor of Engineering) at the Cooperative State University Baden-Württemberg.
This unique combination of engineering and data science enables me to understand the technical background of the data I am working with and to break down complex tasks into smaller, more manageable ones. I am capable to quickly adapt to new work environments and apply my knowledge to produce reliable and fast results.

A full tabular cv of my eduation and certifications is found here:

To - From	Occupation
now - 2023	Visiting Researcher at King's College London School of Cardiovascular and Metabolic Medicine and Sciences
2023	XCS330 Multi-task and Meta-learning (Stanford Course) Certificate
2023 - 2022	XCS234 Reinforcement learning (Stanford Course) Certificate
2022 - 2017	Master of Science - Data Science (Albstadt Sigmaringen University) Final grade: 1.2 (Best grade: 1.0)
2015 - 2012	Bachelor of Engineering - Mechanical Engineering (Cooperative State University Baden-Württemberg) Final grade: 1.6 (Best grade: 1.0)

Utilising explainable AI algorithms to perform adversarial attacks on neural networks

On explainable AI

First, let's dive into explainable AI - this is a field that aims to provide insights into the decision making of artificial intelligence systems. Research and regulatory interest in explainable AI has risen steeply in recent years. One prominent example of regulators investigating this is the European Union - in GDPR article 5, transparency is mentioned as one of the key principles under which data has to be handled by companies. Such explanations can have different target groups:

• System developers: Those who develop intelligent systems and want to perform debugging.
• Regulatory bodies: Government bodies responsible with certification and oversight of the transparent and ethic use of AI.
• End users: People who oftentimes are not aware that they are even subject to an AI-based product.

A developer may use the insights from explainable AI to judge whether the system can be released to the public. Regulatory bodies may require insights into the decision-making in order to certify products (e.g., Mercedes-Benz level 3 autonomous driving). Studies have shown that end users trust recommendations more when an explanation for the recommendation is given (Explaining Collaborative Filtering Recommendations).
The actual form an explanation takes can vary depending on the purpose of the explanation. Explanations can be:

• Learned representations: Maximizing the activation of single neurons to obtain learned features / representations.
• Individual predictions: Attribute to every input dimension its contribution to the output.
• Model behaviour: Identify the general strategy of a model in achieving its task.
• Representative examples: Identify the training data that impacts / informs the classification result most.

In my work, I focused on individual predictions, because my goal was to use the information to manipulate inputs to create adversarial inputs. To this end, I created a custom implementation of the Layer-wise Relevance Propagation (LRP) explainable AI algorithm for tensorflow models. LRP describes a mathematical framework under which explanations for individual decisions can be obtained. Generally speaking, relevance messages are back-propagated throughout a neural network to obtain the contribution of each input dimension to the output.

There are three principles in LRP:

• Relevance conservation: Throughout the back-propagation, the sum of all relevances stays constant.
• Relevance guidance: The distribution of relevance during back-propagation is guided by the neuron connections and weights.
• Specific propagation rules: To optimise the explanations, layer-specific LRP-rules can be used.

Ultimately, an explanation can be computed for a model, with a specific input and a specific target label. The resulting explanation can then be represented in the input dimensions, giving each input dimension a positive or negative relevance score for the target label.

On adversarial attacks

Studies showed that neural networks are vulnerable to perturbed inputs, so called adversarial examples, that are only slightly off the data distribution of training data. One famous example of such adversarial attacks is the Fast Gradient Sign Method (FGSM) , which has infamously shown that one small step accross all input dimensions in the direction of the gradient of the input with regard to (w.r.t) the output can fool image classification models.

Just like in xAI, adversarial attacks can take different forms. One way to distinguish attacks is to differ between white-box and black-box attacks. White-box attacks assume that the machine learning model as well as training data distribution is fully available. Thus, white-box attacks are generally easier and more effective. Black-box attacks on the other hand are performed with just limited access to the model - for example via an API. For my work, I focused on white-box attacks (such as FGSM).

Utilising xAI to perform adversarial attacks

Finally, as both building blocks - xAI and adversarial attacks - have been introduced, I want to share the connection of these topics. Intuitively, when attacking a classifier, we want to know which information is most valuable and obstruct / manipulate it. FGSM for example computes the gradient of the input w.r.t. the output. These gradients are also in some cases used for explanation purposes. Some xAI methods are even based on local perturbations (e.g., LIME) and use precisely the change in classification to determine the most important input dimensions.
The best-performing novel adversarial attack that I proposed in my thesis is the LRP-grad attack.

This attack can be also be seen in action in the following gif:

Ultimately, I was able to show that the proposed LRP-grad attack outperforms iterative FGSM due to reaching a higher attack success rate (ASR) at lower L_p-norms. The following graph shows this comparison:

Of course, this overview only touches the surface of my Master's thesis - so feel free to contact me if you have any inputs, ideas or other thoughts. To sum it up, my Master's thesis lead to the following contributions:

• Custom implementation of layerwise relevance propagation and adversarial attacks.
• Proposal of two novel adversarial attack methods.
• Quantitative benchmark of IFGSM, LRP-flip, LRP-grad and LRP-mean.