Business Context
RideSight deploys a convolutional neural network to classify roadside traffic signs for a driver-assistance product processing roughly 8 million camera frames per day. The model performs well on clean validation data, but security testing found that tiny, human-imperceptible perturbations can flip predictions, creating safety and reliability risk in production.
Dataset
You are given a traffic-sign image classification dataset modeled after GTSRB.
| Feature Group | Count | Examples |
|---|
| Image pixels | 43,000 train / 12,600 test | RGB images resized to 32x32 |
| Labels | 43 classes | speed_limit_30, stop, yield, no_entry |
| Metadata | 3 | capture_time, weather_bucket, camera_id |
| Corruption flags | 4 | blur_level, brightness_shift, rain_overlay, compression_level |
- Size: 55.6K labeled images, 43 classes
- Target: Multiclass — traffic sign class
- Class balance: Moderately imbalanced; largest class is ~7.5% of samples, smallest is ~1.2%
- Missing data: 8% missing in metadata fields; image tensors are complete
Success Criteria
A good solution should:
- Achieve clean test accuracy >= 95%
- Achieve FGSM robustness accuracy >= 65% at epsilon=2/255
- Limit clean-accuracy drop from robustness methods to <= 3 percentage points
- Produce a clear explanation of what adversarial robustness means and why it matters for deployed systems
Constraints
- Inference latency must remain < 15 ms per image on a T4 GPU
- The solution must be deployable in batch retraining every two weeks
- Security and safety teams require measurable robustness, not only clean accuracy
- Candidate should prefer methods that can be monitored in production
Deliverables
- Train a baseline CNN on clean images and report clean accuracy.
- Generate adversarial examples using FGSM and evaluate robustness.
- Improve robustness using adversarial training or another justified defense.
- Compare clean vs adversarial performance and explain the tradeoff.
- Propose a production monitoring plan for robustness drift and attack detection.
