Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Jiawei Zhao,Lizhe Xie,Yuning Zhang,Siqi Gu,Zheng Wang,Yining Hu

DOI: https://doi.org/10.2139/ssrn.4850545

2024-01-01

Abstract:Deep Neural Networks (DNNs) have been shown to be vulnerable to adversarial examples. The existence of adversarial examples significantly hinders the development of deep learning technologies in domains with high-security requirements. However, current defense methods often lack universality, being effective only against specific adversarial attacks. This study focuses on analyzing adversarial examples through changes in model attention, classifying attack algorithms into attention-shifting and attention-attenuation categories. To counter attention-shifting attacks, a defense module named Feature Pyramid-based Attention Space-guided (FPAS) is proposed, which spatially retracts the shifting attention in adversarial examples, thereby enhancing the model's overall defense capability. Attention-based Non-Local (ANL) is a proposed defense module to counter attention-attenuation attacks. This module enhances the model's focus on critical features, efficiently constructing a robust defense model with low implementation cost and minimal intrusion into the original model. By integrating FPAS and ANL into the Wide-ResNet model within a boosting framework, the study demonstrates their synergistic defense capability. Even with eight adversarial samples embedded with adversarial patches, our FPAS_at and ANL_at models demonstrated significant improvements over the baseline, enhancing the average defense rate by 5.47% and 7.74%, respectively. Extensive experiments confirm that this universal defense strategy offers comprehensive protection against adversarial attacks at a lower implementation cost compared to current mainstream defense methods, while also being adaptable for integration with existing defense strategies to further enhance adversarial robustness.

Nuoyan Zhou,Nannan Wang,Decheng Liu,Dawei Zhou,Xinbo Gao

2023-11-20

Abstract:Deep neural networks are vulnerable to adversarial noise. Adversarial Training (AT) has been demonstrated to be the most effective defense strategy to protect neural networks from being fooled. However, we find AT omits to learning robust features, resulting in poor performance of adversarial robustness. To address this issue, we highlight two criteria of robust representation: (1) Exclusion: \emph{the feature of examples keeps away from that of other classes}; (2) Alignment: \emph{the feature of natural and corresponding adversarial examples is close to each other}. These motivate us to propose a generic framework of AT to gain robust representation, by the asymmetric negative contrast and reverse attention. Specifically, we design an asymmetric negative contrast based on predicted probabilities, to push away examples of different classes in the feature space. Moreover, we propose to weight feature by parameters of the linear classifier as the reverse attention, to obtain class-aware feature and pull close the feature of the same class. Empirical evaluations on three benchmark datasets show our methods greatly advance the robustness of AT and achieve state-of-the-art performance.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Yue Zhuo,Zhiqiang Ge

DOI: https://doi.org/10.36227/techrxiv.19609623.v1

2022-01-01

Abstract:Adversarial attack is to craft tiny perturbations on inputs, causing neural networks to give incorrect outputs with high confidence, while adversarial training is the de facto most successful method to obtain robust neural networks. Nevertheless, adversarial training suffers from robust overfitting: the increasing robustness gap between train and test datasets. This paper aims at reducing this robust overfitting (i.e., improving adversarially robust generalization / generalized adversarial robustness). Firstly, we study the robust bias-variance trade-off and find that the robust overfitting even happens on the simple dataset (100MNIST), which is considered free from that in previous research. Next, based on 100MNIST and Gaussian data, the correlation between feature augmentation and robust overfitting is analyzed on a theoretical basis. A novel insight is obtained: the augmentation on robust features can improve generalized adversarial robustness, through alleviating the over-optimization on non-robust features. Then, we propose a regularization term, Feature Alignment (FA), to guide synthesized sample directions. Adversarial FA aided Generative Adversarial Network, AFAGAN, generates samples aligning robust features, which can train more adversarially robust generalized models. Experiments on CIFAR10 show that augmented data of AFAGAN significantly improves the generalized adversarial robustness.

Ziming Zhao,Zhaoxuan Li,Tingting Li,Jiongchi Yu,Fan Zhang,Rui Zhang

DOI: https://doi.org/10.1145/3589335.3651524

2024-01-01

Abstract:Recent studies show that deep neural networks are extremely vulnerable, especially for adversarial examples of image classification models. However, the current defense technologies exhibit a series of limitations in terms of the adaptability of different attacks, the trade-off between clean-instance accuracy and robust one, as well as efficiency for train time overhead. To tackle these problems, we present a novel component, named redundant fully connected layer, which can be combined with existing model backbones in a pluggable manner. Specifically, we design a tailor-made loss function for it that leverages cosine similarity to maximize the difference and diversity of multiple fully connected parts. We conduct extensive experiments against 12 representative attacks (white-box and black-box), based on the popular dataset. The empirical evaluations show that our scheme realizes significant outcomes against various attacks with negligible additional training overhead, while hardly bringing collateral damage for clean-instance accuracy.

Woo Jae Kim,Yoonki Cho,Junsik Jung,Sung-Eui Yoon

2023-03-24

Abstract:Deep neural networks are susceptible to adversarial attacks due to the accumulation of perturbations in the feature level, and numerous works have boosted model robustness by deactivating the non-robust feature activations that cause model mispredictions. However, we claim that these malicious activations still contain discriminative cues and that with recalibration, they can capture additional useful information for correct model predictions. To this end, we propose a novel, easy-to-plugin approach named Feature Separation and Recalibration (FSR) that recalibrates the malicious, non-robust activations for more robust feature maps through Separation and Recalibration. The Separation part disentangles the input feature map into the robust feature with activations that help the model make correct predictions and the non-robust feature with activations that are responsible for model mispredictions upon adversarial attack. The Recalibration part then adjusts the non-robust activations to restore the potentially useful cues for model predictions. Extensive experiments verify the superiority of FSR compared to traditional deactivation techniques and demonstrate that it improves the robustness of existing adversarial training methods by up to 8.57% with small computational overhead. Codes are available at <a class="link-external link-https" href="https://github.com/wkim97/FSR" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Chai Xiuli,Wei Tongtong,Chen Zhen,He Xin,Gan Zhihua,Wu Xiangjun

DOI: https://doi.org/10.1007/s10489-022-03847-z

IF: 5.3

2022-01-01

Applied Intelligence

Abstract:Deep neural networks (DNNs) are prone to produce incorrect prediction results under the attack of adversarial samples. To cope with this problem, some defense methods are presented. However, most of them are based on adversarial training, which has great computational consumption and does not start from strengthening the architecture of the network model itself to resist the adversarial attack. Recent studies have shown that feature denoising can remove the adversarial perturbations in the adversarial samples. In this paper, we propose a lightweight denoising network with residual connection (LDN-RC), on which the internal denoising block and the intermediate denoising block are introduced for feature denoising and sample denoising, respectively; the two denoising blocks are combined in the network model, which can withstand the interference of the adversarial perturbations in the adversarial samples to a large extent and also save computational resources. In the training strategy, a two-stage denoising approach and fine-tuning are presented to train the RESNET network model on MNIST, CIFAR-10, and SVHN datasets, and the accuracy of the enhanced network model exceeds 60% on all three datasets under the $${L}_{\infty }$$ -PGD white-box attack, which demonstrate that LDN-RC can effectively improve the adversarial robustness of the network model.

Hong Wang,Yuefan Deng,Shinjae Yoo,Yuewei Lin

DOI: https://doi.org/10.1109/TCYB.2024.3380437

Abstract:While deep neural networks (DNNs) have revolutionized many fields, their fragility to carefully designed adversarial attacks impedes the usage of DNNs in safety-critical applications. In this article, we strive to explore the robust features that are not affected by the adversarial perturbations, that is, invariant to the clean image and its adversarial examples (AEs), to improve the model's adversarial robustness. Specifically, we propose a feature disentanglement model to segregate the robust features from nonrobust features and domain-specific features. The extensive experiments on five widely used datasets with different attacks demonstrate that robust features obtained from our model improve the model's adversarial robustness compared to the state-of-the-art approaches. Moreover, the trained domain discriminator is able to identify the domain-specific features from the clean images and AEs almost perfectly. This enables AE detection without incurring additional computational costs. With that, we can also specify different classifiers for clean images and AEs, thereby avoiding any drop in clean image accuracy.

Zhezhi He,A. S. Rakin,Yanzhi Wang,Liqiang Wang,Deliang Fan,Li Yang

2019-05-30

Abstract:Deep Neural Network (DNN) trained by the gradient descent method is known to be vulnerable to maliciously perturbed adversarial input, aka. adversarial attack. As one of the countermeasures against adversarial attack, increasing the model capacity for DNN robustness enhancement was discussed and reported as an effective approach by many recent works. In this work, we show that shrinking the model size through proper weight pruning can even be helpful to improve the DNN robustness under adversarial attack. For obtaining a simultaneously robust and compact DNN model, we propose a multi-objective training method called Robust Sparse Regularization (RSR), through the fusion of various regularization techniques, including channel-wise noise injection, lasso weight penalty, and adversarial training. We conduct extensive experiments across popular ResNet-20, ResNet-18 and VGG-16 DNN architectures to demonstrate the effectiveness of RSR against popular white-box (i.e., PGD and FGSM) and black-box attacks. Thanks to RSR, 85% weight connections of ResNet-18 can be pruned while still achieving 0.68% and 8.72% improvement in clean- and perturbed-data accuracy respectively on CIFAR-10 dataset, in comparison to its PGD adversarial training baseline.

Computer Science,Mathematics

Jisoo Mok,Byunggook Na,Hyeokjun Choe,Sungroh Yoon

DOI: https://doi.org/10.48550/arXiv.2108.01289

2021-08-10

Abstract:Deep neural networks continue to awe the world with their remarkable performance. Their predictions, however, are prone to be corrupted by adversarial examples that are imperceptible to humans. Current efforts to improve the robustness of neural networks against adversarial examples are focused on developing robust training methods, which update the weights of a neural network in a more robust direction. In this work, we take a step beyond training of the weight parameters and consider the problem of designing an adversarially robust neural architecture with high intrinsic robustness. We propose AdvRush, a novel adversarial robustness-aware neural architecture search algorithm, based upon a finding that independent of the training method, the intrinsic robustness of a neural network can be represented with the smoothness of its input loss landscape. Through a regularizer that favors a candidate architecture with a smoother input loss landscape, AdvRush successfully discovers an adversarially robust neural architecture. Along with a comprehensive theoretical motivation for AdvRush, we conduct an extensive amount of experiments to demonstrate the efficacy of AdvRush on various benchmark datasets. Notably, on CIFAR-10, AdvRush achieves 55.91% robust accuracy under FGSM attack after standard training and 50.04% robust accuracy under AutoAttack after 7-step PGD adversarial training.

Machine Learning,Artificial Intelligence

Yisen Wang,Difan Zou,Jinfeng Yi,James Bailey,Xingjun Ma,Quanquan Gu

2020-01-01

Abstract:Deep neural networks (DNNs) are vulnerable to adversarial examples crafted by imperceptible perturbations. A range of defense techniques have been proposed to improve DNN robustness to adversarial examples, among which adversarial training has been demonstrated to be the most effective. Adversarial training is often formulated as a min-max optimization problem, with the inner maximization for generating adversarial examples. However, there exists a simple, yet easily overlooked fact that adversarial examples are only defined on correctly classified (natural) examples, but inevitably, some (natural) examples will be misclassified during training. In this paper, we investigate the distinctive influence of misclassified and correctly classified examples on the final robustness of adversarial training. Specifically, we find that misclassified examples indeed have a significant impact on the final robustness. More surprisingly, we find that different maximization techniques on misclassified examples may have a negligible influence on the final robustness, while different minimization techniques are crucial. Motivated by the above discovery, we propose a new defense algorithm called {\em Misclassification Aware adveRsarial Training} (MART), which explicitly differentiates the misclassified and correctly classified examples during the training. We also propose a semi-supervised extension of MART, which can leverage the unlabeled data to further improve the robustness. Experimental results show that MART and its variant could significantly improve the state-of-the-art adversarial robustness.

Tao Wang,Ruixin Zhang,Xingyu Chen,Kai Zhao,Xiaolin Huang,Yuge Huang,Shaoxin Li,Jilin Li,Feiyue Huang

DOI: https://doi.org/10.48550/arXiv.2105.15157

2021-05-31

Computer Vision and Pattern Recognition

Abstract:Recent studies reveal that Convolutional Neural Networks (CNNs) are typically vulnerable to adversarial attacks, which pose a threat to security-sensitive applications. Many adversarial defense methods improve robustness at the cost of accuracy, raising the contradiction between standard and adversarial accuracies. In this paper, we observe an interesting phenomenon that feature statistics change monotonically and smoothly w.r.t the rising of attacking strength. Based on this observation, we propose the adaptive feature alignment (AFA) to generate features of arbitrary attacking strengths. Our method is trained to automatically align features of arbitrary attacking strength. This is done by predicting a fusing weight in a dual-BN architecture. Unlike previous works that need to either retrain the model or manually tune a hyper-parameters for different attacking strengths, our method can deal with arbitrary attacking strengths with a single model without introducing any hyper-parameter. Importantly, our method improves the model robustness against adversarial samples without incurring much loss in standard accuracy. Experiments on CIFAR-10, SVHN, and tiny-ImageNet datasets demonstrate that our method outperforms the state-of-the-art under a wide range of attacking strengths.

Ziang Yan,Yiwen Guo,Changshui Zhang

2018-01-01

Abstract:Despite the efficacy on a variety of computer vision tasks, deep neural networks (DNNs) are vulnerable to adversarial attacks, limiting their applications in security-critical systems. Recent works have shown the possibility of generating imperceptibly perturbed image inputs (a.k.a., adversarial examples) to fool well-trained DNN models into making arbitrary predictions. To address this problem, we propose a training recipe named DeepDefense. Our core idea is to integrate an adversarial perturbation-based regularizer into the classification objective, such that the obtained models learn to resist potential attacks, directly and precisely. The whole optimization problem is solved just like training a recursive network. Experimental results demonstrate that our method outperforms the state-of-the-arts by large margins on various datasets (including MNIST, CIFAR-10 and ImageNet) and different DNN architectures. Code and models for reproducing our results will be made publicly available.

Minghao Guo,Yuzhe Yang,Rui Xu,Ziwei Liu,Dahua Lin

DOI: https://doi.org/10.48550/arXiv.1911.10695

2020-03-26

Abstract:Recent advances in adversarial attacks uncover the intrinsic vulnerability of modern deep neural networks. Since then, extensive efforts have been devoted to enhancing the robustness of deep networks via specialized learning algorithms and loss functions. In this work, we take an architectural perspective and investigate the patterns of network architectures that are resilient to adversarial attacks. To obtain the large number of networks needed for this study, we adopt one-shot neural architecture search, training a large network for once and then finetuning the sub-networks sampled therefrom. The sampled architectures together with the accuracies they achieve provide a rich basis for our study. Our "robust architecture Odyssey" reveals several valuable observations: 1) densely connected patterns result in improved robustness; 2) under computational budget, adding convolution operations to direct connection edge is effective; 3) flow of solution procedure (FSP) matrix is a good indicator of network robustness. Based on these observations, we discover a family of robust architectures (RobNets). On various datasets, including CIFAR, SVHN, Tiny-ImageNet, and ImageNet, RobNets exhibit superior robustness performance to other widely used architectures. Notably, RobNets substantially improve the robust accuracy (~5% absolute gains) under both white-box and black-box attacks, even with fewer parameter numbers. Code is available at <a class="link-external link-https" href="https://github.com/gmh14/RobNets" rel="external noopener nofollow">this https URL</a>.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Fuxun Yu,Zirui Xu,Yanzhi Wang,Chenchen Liu,Xiang Chen

DOI: https://doi.org/10.48550/arXiv.1805.09370

IF: 5.414

2018-05-23

Machine Learning

Abstract:In recent years, neural networks have demonstrated outstanding effectiveness in a large amount of applications.However, recent works have shown that neural networks are susceptible to adversarial examples, indicating possible flaws intrinsic to the network structures. To address this problem and improve the robustness of neural networks, we investigate the fundamental mechanisms behind adversarial examples and propose a novel robust training method via regulating adversarial gradients. The regulation effectively squeezes the adversarial gradients of neural networks and significantly increases the difficulty of adversarial example generation.Without any adversarial example involved, the robust training method could generate naturally robust networks, which are near-immune to various types of adversarial examples. Experiments show the naturally robust networks can achieve optimal accuracy against Fast Gradient Sign Method (FGSM) and C\&W attacks on MNIST, Cifar10, and Google Speech Command dataset. Moreover, our proposed method also provides neural networks with consistent robustness against transferable attacks.

ShengYun Peng,Weilin Xu,Cory Cornelius,Kevin Li,Rahul Duggal,Duen Horng Chau,Jason Martin

DOI: https://doi.org/10.48550/arXiv.2301.03110

2023-01-09

Abstract:Adversarial Training is the most effective approach for improving the robustness of Deep Neural Networks (DNNs). However, compared to the large body of research in optimizing the adversarial training process, there are few investigations into how architecture components affect robustness, and they rarely constrain model capacity. Thus, it is unclear where robustness precisely comes from. In this work, we present the first large-scale systematic study on the robustness of DNN architecture components under fixed parameter budgets. Through our investigation, we distill 18 actionable robust network design guidelines that empower model developers to gain deep insights. We demonstrate these guidelines' effectiveness by introducing the novel Robust Architecture (RobArch) model that instantiates the guidelines to build a family of top-performing models across parameter capacities against strong adversarial attacks. RobArch achieves the new state-of-the-art AutoAttack accuracy on the RobustBench ImageNet leaderboard. The code is available at $\href{<a class="link-external link-https" href="https://github.com/ShengYun-Peng/RobArch" rel="external noopener nofollow">this https URL</a>}{\text{this url}}$.

Computer Vision and Pattern Recognition,Artificial Intelligence

Ruozhu Yao,Chengqiang Huang,Zheng Hu,Ke Pei

DOI: https://doi.org/10.1109/ijcnn52387.2021.9534294

2021-01-01

Abstract:Neural network robustness has been a hot research topic since the discovery of adversarial examples. With the increasing threats posed by adversarial examples in safety-critical AI applications, the research problem of how to boost the robustness of neural networks has drawn even more attention in recent years. In this paper, we argue that existing methods for neural network robustness optimization primarily focus on increasing the minimum adversarial perturbation of individual datum while neglecting the purpose of the target machine learning task, i.e., classification. Consequently, we propose a neural network retraining method which implicitly enhances a model's capability in maximizing the minimum distance from data instances of all classes to the decision boundary. As demonstrated by the experiments, our method succeeds in improving the robustness of pre-trained neural networks within only a few retraining epochs while imposing little negative effect on classification accuracy, thus being applicable for online optimization of neural networks.

Yiming Li,Baoyuan Wu,Yan Feng,Yanbo Fan,Yong Jiang,Zhifeng Li,Shutao Xia

DOI: https://doi.org/10.48550/arXiv.2003.06974

2020-06-16

Abstract:Adversarial examples have been shown to be the severe threat to deep neural networks (DNNs). One of the most effective adversarial defense methods is adversarial training (AT) through minimizing the adversarial risk $R_{adv}$, which encourages both the benign example $x$ and its adversarially perturbed neighborhoods within the $\ell_{p}$-ball to be predicted as the ground-truth label. In this work, we propose a novel defense method, the robust training (RT), by jointly minimizing two separated risks ($R_{stand}$ and $R_{rob}$), which is with respect to the benign example and its neighborhoods respectively. The motivation is to explicitly and jointly enhance the accuracy and the adversarial robustness. We prove that $R_{adv}$ is upper-bounded by $R_{stand} + R_{rob}$, which implies that RT has similar effect as AT. Intuitively, minimizing the standard risk enforces the benign example to be correctly predicted, and the robust risk minimization encourages the predictions of the neighbor examples to be consistent with the prediction of the benign example. Besides, since $R_{rob}$ is independent of the ground-truth label, RT is naturally extended to the semi-supervised mode ($i.e.$, SRT), to further enhance the adversarial robustness. Moreover, we extend the $\ell_{p}$-bounded neighborhood to a general case, which covers different types of perturbations, such as the pixel-wise ($i.e.$, $x + \delta$) or the spatial perturbation ($i.e.$, $ AX + b$). Extensive experiments on benchmark datasets not only verify the superiority of the proposed SRT method to state-of-the-art methods for defensing pixel-wise or spatial perturbations separately, but also demonstrate its robustness to both perturbations simultaneously. The code for reproducing main results is available at \url{<a class="link-external link-https" href="https://github.com/THUYimingLi/Semi-supervised_Robust_Training" rel="external noopener nofollow">this https URL</a>}.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Charis Eleftheriadis,Andreas Symeonidis,Panagiotis Katsaros

DOI: https://doi.org/10.1007/s00138-024-01519-1

IF: 2.983

2024-03-16

Machine Vision and Applications

Abstract:Deep neural networks (DNNs) are key components for the implementation of autonomy in systems that operate in highly complex and unpredictable environments (self-driving cars, smart traffic systems, smart manufacturing, etc.). It is well known that DNNs are vulnerable to adversarial examples, i.e. minimal and usually imperceptible perturbations, applied to their inputs, leading to false predictions. This threat poses critical challenges, especially when DNNs are deployed in safety or security-critical systems, and renders as urgent the need for defences that can improve the trustworthiness of DNN functions. Adversarial training has proven effective in improving the robustness of DNNs against a wide range of adversarial perturbations. However, a general framework for adversarial defences is needed that will extend beyond a single-dimensional assessment of robustness improvement; it is essential to consider simultaneously several distance metrics and adversarial attack strategies. Using such an approach we report the results from extensive experimentation on adversarial defence methods that could improve DNNs resilience to adversarial threats. We wrap up by introducing a general adversarial training methodology, which, according to our experimental results, opens prospects for an holistic defence against a range of diverse types of adversarial perturbations.

computer science, cybernetics, artificial intelligence,engineering, electrical & electronic

Leo Hyun Park,Jaeuk Kim,Myung Gyo Oh,Jaewoo Park,Taekyoung Kwon

2024-02-19

Abstract:Deep learning models continue to advance in accuracy, yet they remain vulnerable to adversarial attacks, which often lead to the misclassification of adversarial examples. Adversarial training is used to mitigate this problem by increasing robustness against these attacks. However, this approach typically reduces a model's standard accuracy on clean, non-adversarial samples. The necessity for deep learning models to balance both robustness and accuracy for security is obvious, but achieving this balance remains challenging, and the underlying reasons are yet to be clarified. This paper proposes a novel adversarial training method called Adversarial Feature Alignment (AFA), to address these problems. Our research unveils an intriguing insight: misalignment within the feature space often leads to misclassification, regardless of whether the samples are benign or adversarial. AFA mitigates this risk by employing a novel optimization algorithm based on contrastive learning to alleviate potential feature misalignment. Through our evaluations, we demonstrate the superior performance of AFA. The baseline AFA delivers higher robust accuracy than previous adversarial contrastive learning methods while minimizing the drop in clean accuracy to 1.86% and 8.91% on CIFAR10 and CIFAR100, respectively, in comparison to cross-entropy. We also show that joint optimization of AFA and TRADES, accompanied by data augmentation using a recent diffusion model, achieves state-of-the-art accuracy and robustness.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition