Bio. I am a researcher at Borealis AI, working primarily on adversarial robustness. I graduated from The Cooper Union for the Advancement of Science and Art, with a B.E. and M.E. in Electrical Engineering in May 2018. While pursuing my degree, I first emphasized improving my development skills and transferring that knowledge into real projects, which even led to a few hackathon wins! I then shifted my focus to self-studying machine learning, implementing various proposed systems and contributing to interesting recent work. I continued my journey working with the AI Foundations group during an internship at IBM Research, introducing methods in generating adversarial examples which culminated in my thesis. I'm currently proceeding with my research work, aiming to simultaneously build my expertise and contribute to the growth of artificial intelligence.

Fall 2018: Borealis AI Researcher
Summer 2017: IBM Research Intern Mentor: Pin-Yu Chen
2014-2018: The Cooper Union: BE + ME Advisor: Sam Keene

September 2018: Won first place overall in the CAAD 2018 Competition!
August 2018: Gave a talk at DEFCON 26 on my recent work!
August 2018: One paper accepted to EMNLP 2018!
June 2018: One paper accepted to the ICML 2018 Workshops!
March 2018: One paper accepted to the ICLR 2018 Workshops!
November 2017: Became a Kaggle Competitions Master!
November 2017: Achieved 1 Gold and 2 Silver Medals in the NIPS 2017 Competition Track!
November 2017: EAD has been accepted to AAAI 2018!
September 2017: ZOO has been accepted to AISec 2017!


Generating Natural Language Adversarial Examples
In the image domain, adversarial perturbations can be crafted to be virtually indistinguishable to human perception, causing humans and state-of-the-art models to disagree. However, in the natural language domain, small perturbations are clearly perceptible, and the replacement of a single word can drastically alter the semantics of the document. Given these challenges, we use a black-box population-based optimization algorithm to generate semantically and syntactically similar adversarial examples that fool well-trained sentiment analysis and textual entailment models. We additionally show that the successful adversarial examples are classified to the true label by 20 human annotators, and are perceptibly quite similar to the original. Finally, we attempt to use adversarial training as a defense, but fail to yield improvement, demonstrating the strength and diversity of the generated examples. We hope our findings encourage researchers to pursue improving robustness in the natural language domain.
Yash Sharma*, Moustafa Alzantot*, Ahmed Elgohary, Bo-Jhang Ho, Mani Srivastava, Kai-Wei Chang
EMNLP 2018
NIPS 2018 SecML Workshop Encore Track
GenAttack: Practical Black-box Attacks with Gradient-Free Optimization
Existing black-box approaches to generating adversarial examples typically require a significant number of queries, either for training a substitute network or estimating gradients from output scores. We introduce GenAttack, a gradient-free optimization technique which uses genetic algorithms for synthesizing adversarial examples in the black-box setting. Our experiments show that GenAttack can successfully generate visually imperceptible adversarial examples against image recognition models with orders of magnitude fewer queries than existing approaches. Furthermore, we show that GenAttack's query efficiency and gradient-free nature enable it to successfully attack both the state-of-the-art ImageNet defense, ensemble adversarial training, and non-differentiable, randomized input transformation defenses. Our results suggest that evolutionary algorithms open up a promising area of research into effective gradient-free black-box attacks.
Moustafa Alzantot, Yash Sharma, Supriyo Chakraborty, Mani Srivastava
Are Generative Classifiers More Robust to Adversarial Attacks?
Most recent work in adversarial attacks focuses on discriminative classifiers, which only model the conditional distribution of the labels given the inputs. We propose the deep Bayes classifier, which improves classical naive Bayes with conditional deep generative models. We further develop detection methods for adversarial examples, which reject inputs that have negative log-likelihood under the generative model exceeding a threshold pre-specified using training data. Our experimental results suggest that deep Bayes classifiers are more robust than deep discriminative classifiers, and the proposed detection methods achieve high detection rates against many recently proposed attacks.
Yingzhen Li, John Bradshaw, Yash Sharma
ICML 2018 TADGM Workshop (Oral)
Gradient-based Adversarial Attacks to Deep Neural Networks in Limited Access Settings
Master's thesis comprising of my previous work in this area. I present ZOO and EAD, and validate their effectiveness through attacking state-of-the-art models trained on the MNIST, CIFAR-10, and ImageNet datasets. In addition, I demonstrate that the proposed attacks can successfully attack recently proposed defenses in their corresponding limited access settings. I show that ZOO in the black-box case can succeed against the state-of-the-art ImageNet defense, Ensemble Adversarial Training, while EAD relying on transferability can succeed against the state-of-the-art MNIST defense, the Madry Defense Model, and input transformation defenses, such as Feature Squeezing.
Yash Sharma
Master's Thesis, 2018
Bypassing Feature Squeezing by Increasing Adversary Strength
Feature Squeezing is a recently proposed defense method which reduces the search space available to an adversary by coalescing samples that correspond to many different feature vectors in the original space into a single sample. It has been shown that feature squeezing defenses can be combined in a joint detection framework to achieve high detection rates against state-of-the-art attacks. However, we demonstrate that by increasing the adversary strength of said state-of-the-art attacks, one can bypass the detection framework with adversarial examples of minimal visual distortion. These results suggest for proposed defenses to validate against stronger attack configurations.
Yash Sharma, Pin-Yu Chen
Attacking the Madry Defense Model with L1-based Adversarial Examples
The Madry Lab recently hosted a competition designed to test the robustness of their adversarially trained MNIST model. Attacks were constrained to perturb each pixel of the input image by a scaled maximal L distortion ϵ = 0.3. This discourages the use of attacks which are not optimized on the L distortion metric. We demonstrate that by relaxing the competition's L constraint, EAD can generate transferable adversarial examples which, despite their high average L distortion, have minimal visual distortion. These results call into question the use of L as a sole measure for visual distortion, and further demonstrate the power of EAD at generating robust adversarial examples.
Yash Sharma, Pin-Yu Chen
ICLR 2018 Workshops
EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples
Despite the fact that L1 distortion accounts for the total variation and in optimization encourages sparsity in the perturbation, little has been developed for crafting L1-based adversarial examples. In this paper, we formulate the process of attacking DNNs via adversarial examples as an elastic-net regularized optimization problem. Our elastic-net attacks to DNNs (EAD) feature L1-oriented adversarial examples and include the state-of-the-art L2 attack as a special case. Experimental results on MNIST, CIFAR-10 and ImageNet show that EAD can yield a distinct set of adversarial examples with small L1 distortion which match state-of-the-art performance in different attack scenarios. More importantly, EAD leads to improved attack transferability and complements adversarial training for DNNs, suggesting novel insights on leveraging L1 distortion in adversarial machine learning.
Yash Sharma*, Pin-Yu Chen*, Huan Zhang, Jinfeng Yi, Cho-Jui Hsieh
AAAI 2018 (Oral)
ZOO: Zeroth Order Optimization based Black-box Attacks to Deep Neural Networks without Training Substitute Models
We propose an effective black-box attack that only has access to the input (images) and the output (confidence scores) of a targeted DNN. However, different from leveraging attack transferability from substitute models, we propose using zeroth order optimization (ZOO) to generate adversarial examples by directly estimating the gradients of the targeted DNN. We use zeroth order stochastic coordinate descent along with dimension reduction, hierarchical attack and importance sampling techniques to efficiently attack black-box models, sparing the need for training substitute models and avoiding the loss in attack transferability. Experimental results on MNIST, CIFAR-10 and ImageNet show that the proposed ZOO attack is as effective as the state-of-the-art white-box attack and significantly outperforms existing black-box attacks via substitute models.
Huan Zhang*, Pin-Yu Chen*, Yash Sharma, Jinfeng Yi, Cho-Jui Hsieh
AISec 2017 (Best Paper Nominee)


CAAD 2018 Competition: Adversarial Attacks and Defenses
For attacks, we leveraged adversarial transformation networks to avoid expensive computation at test-time as well as spatial gradient smoothing + random resizing to achieve transferability in the targeted case. For defense, we apply mild bernoulli random noise followed by bit-depth reduction to all but the 2 MSB. Placed 1st, 1st, and 3rd in the Targeted Attack, Non-Targeted Attack, and Defense competitions.
Yash Sharma, Tien-Dung Le, Moustafa Alzantot
Overall Winner of CAAD 2018 Competition. Prize: $38,000
Lane Keeping and Navigation Assist System
We built a miniature autonomous vehicle which can navigate through maps consisting of various road topologies. Our system is comprised of a perception module, for detecting lanes and intersections, and a control module, for lane keeping and turn making. Please refer to the write-up for further detail, and check out our demonstration video!
Yash Sharma, Vishnu Kaimal
IEEE Student Paper + Senior Project, 2018
NIPS 2017 Competition: Adversarial Attacks and Defenses
For the Attacks submissions, used PGD/BIM to attack a selected ensemble of undefended ImageNet models in both the targeted and non-targeted settings, hoping to generate robust examples which would transfer to the submitted defenses. For the Defense submission, experimented with a set of input transformation methods and settled on applying JPEG-compression (quality=25) to the inputs, feeding the output to a selected ensemble of models and yielding the decision based on a majority vote. The defense was tuned to successfully classify both weak and strong submitted adversarial examples. Placed 6th, 11th, and 14th in the Targeted Attack, Defense, and Non-Targeted Attack competitions, respectively.
Yash Sharma, Moustafa Alzantot
Achieved 1 Gold and 2 Silver Medals
Learning to Play Super Smash Bros. Melee with Delayed Actions
We used recurrent neural networks to teach a computer to play Super Smash Bros. Melee in a more humanlike way. Previously, neural network agents have been taught to play Super Smash Bros. on a competitive level with humans using reinforcement learning, but they were "too good"–unrealistically so. The computers could react much faster than a human ever could. However, when these agents were given human-like reaction speeds, they performed much worse than humans. We propose a solution to this problem by adding recurrence to the architecture, so that the computer could "remember" what it saw a few frames ago and act appropriately even though its actions are delayed. Our solution stabilizes the training of competitive agents under human-level delay, as evidenced by qualitative and quantitative results against both the built-in AI and other trained agents. With stronger training partners to play against, these agents should eventually be able to beat the world’s best.
Yash Sharma, Eli Friedman
Using Macroeconomic Forecasts to Improve Mean Reverting Trading Strategies
A set of trading strategies are based on the view that the yield curve mean-reverts. Based on these strategies' positive performance, a multiple pairs trading strategy on major currency pairs was implemented. To improve the algorithm's performance, machine learning forecasts of a series of pertinent macroeconomic variables were factored in. This addition resulted in a clear improvement in the APR over the evaluation period, demonstrating that macroeconomic indicators, not only technical indicators, should be considered in trading strategies.
Yash Sharma
Unsupervised Pretraining
Validated on the CIFAR-10 dataset that using a Split-Brain Autoencoder for unsupervised pretraining can help in situations with a dearth of labeled data. The autoencoder consists of two concatenated convolutional neural networks, one solves the problem of colorization (predicting the "ab" channel from the "L" channel in LAB colorspace), while the other performs the opposite.
Yash Sharma, Sahil Patel
The Game of Set
Completed a client-server application which allows users to play the game of SET against each other over the internet. Used JavaFX8 for the UI and MySQL for the database. On the server-side, we setup a multithreaded design, where pipes were used to communicate between threads. Used the publish-subscribe messaging pattern for server-client communication.
Yash Sharma, Sahil Patel, Shalin Patel, Kevin Sheng
show more
Loan Chain
Designed a solution for automating the loan syndication process through the use of blockchain. Utilized the hyperledger fabric to store loan proposal smart contracts on a P2P Network; interacted with the chaincode using Node.js. Built in the capability to, given bank lending criteria, optimize the pre-negotiation process through a matching algorithm implementation
Yash Sharma, Dusan Jovanovic, Ling W. Chang, Tetiana Iakovenko
Winner of the IBM Blockchain NYC Hackathon
Developed an Android application designed to serve as a banker's assistant. Allows users to view a list of their meetings, log notes about their meetings, tag stock ticks discussed in meetings, view previous logs, and create a social media message that other users can view. Furthermore, users can fill in log notes by voice through speech recognition technologies, and sentiment analysis is performed on written logs to determine the viability of initiatives regarding specific tickers. All information stored on a remote web server, which was built in Node.js and communicates with a local PostgreSQL database.
Yash Sharma, Brenda So, Shalin Patel
Winner of Credit Suisse's CodeSuisse Hackathon
SSBY Architecture
Designed an 8-bit processor with a reduced instruction set computing (RISC) design. The architecture is a Harvard architecture implementation with a 4-byte cache for data memory. The processor is able to carry out basic leaf and nested procedures, signed addition, and memory access. This is demonstrated through our non-recursive Fibonacci and our recursive multiplication example programs. The assembler/linker which converts the assembly program into 8-bit machine code was written in C++. The processor was implemented in Verilog. Our fully functional processor is single-cycle, but we did also explore pipelining it.
Yash Sharma, Shalin Patel, Matt Cavallaro
Trace the historical and current sources of pollution in the continental United States. We extracted wind data from the NOAA, pollutant concentration data from the EPA, and elevation data through the Google Maps API. We cleaned the data and compiled it into a Pandas Dataframe. We then estimated the parameters for the Gaussian Dispersion Algorithm by processing the data in PySpark, and used that to estimate the sources of pollution. We also attempted to predict pollutant concentration in the future through training a basic linear regression model with SGD.
Yash Sharma, Brenda So, Sahil Patel, Gordon Su
Our cleaned, formatted dataset is featured on Kaggle
What's Up Doc?
Created an Android doctor-patient application which ensures that patients pick up and open their medication. Doctor enters prescription -> Notification Alarm sounds when patient is assigned to take medication -> requires the entering of a verification code imprinted on the medication and logging of comments/concerns to be muted -> Doctor views logs. Utilized MongoDB as the database platform running on Linode.
Yash Sharma, Sahaj Kohli
Won prize at HackRU (Rutgers University) 2015