Jian Xu,Heng Liu,Dexin Wu,Fucai Zhou,Chong-zhi Gao,Linzhi Jiang

DOI: https://doi.org/10.1016/j.ins.2020.05.099

IF: 8.1

2020-01-01

Information Sciences

Abstract:Adversarial machine learning, as a research area, has received a great deal of attention in recent years. Much of this attention has been devoted to a phenomenon called adversarial perturbation, which is human-imperceptible and can be used to craft adversarial examples. The deep neural networks are vulnerable to adversarial examples, which raises security concerns on learning algorithms due to the potentially severe consequences. It was shown there exist universal perturbations that are image-agnostic can fool the network when added to the majority of images. Since different attack strategies proposed for generating universal perturbation are still suffering from attack success rate, attack efficiency, and transferability. In this paper, we design an attack framework that uses a residual network (ResNet) to create universal perturbation. We introduce a trainable residual network generator that converts random noise into universal adversarial perturbation, which can be used to efficiently generate perturbations for any instance after being trained. Unlike traditional methods, moreover, we use a loss network to guarantee the similarity of images in content. The new generator structure and objective function make our method achieve better attack results than the existing methods. A variety of experiments conducted on the CIFAR-10 dataset reveal that our proposed attack framework constitutes an advance in the creation of universal adversarial perturbation, as it can achieve a success rate of 89%, which outperforms the similar methods, along with low perturbation norms.

Omar Montasser,Steve Hanneke,Nathan Srebro

DOI: https://doi.org/10.48550/arXiv.2102.02145

IF: 5.414

2021-02-03

Machine Learning

Abstract:We study the problem of learning predictors that are robust to adversarial examples with respect to an unknown perturbation set, relying instead on interaction with an adversarial attacker or access to attack oracles, examining different models for such interactions. We obtain upper bounds on the sample complexity and upper and lower bounds on the number of required interactions, or number of successful attacks, in different interaction models, in terms of the VC and Littlestone dimensions of the hypothesis class of predictors, and without any assumptions on the perturbation set.

Zhuang Qian,Shufei Zhang,Kaizhu Huang,Qiufeng Wang,Xinping Yi,Bin Gu,Huan Xiong

DOI: https://doi.org/10.1016/j.neunet.2024.106117

IF: 7.8

2024-01-09

Neural Networks

Abstract:Whilst adversarial training has been proven to be the most effective defending method against adversarial attacks for deep neural networks, it suffers from over-fitting on training adversarial data and thus may not guarantee the robust generalization. This may result from the fact that the conventional adversarial training methods generate adversarial perturbations usually in a supervised way so that the resulting adversarial examples are highly biased towards the decision boundary, leading to an inhomogeneous data distribution. To mitigate this limitation, we propose to generate adversarial examples from a perturbation diversity perspective. Specifically, the generated perturbed samples are not only adversarial but also diverse so as to certify robust generalization and significant robustness improvement through a homogeneous data distribution. We provide theoretical and empirical analysis, establishing a foundation to support the proposed method. As a major contribution, we prove that promoting perturbations diversity can lead to a better robust generalization bound. To verify our methods' effectiveness, we conduct extensive experiments over different datasets (e.g., CIFAR-10, CIFAR-100, SVHN) with different adversarial attacks (e.g., PGD, CW). Experimental results show that our method outperforms other state-of-the-art (e.g., PGD and Feature Scattering) in robust generalization performance.

computer science, artificial intelligence,neurosciences

Pratyush Maini,Xinyun Chen,Bo Li,D. Song

2022-01-01

Abstract:Recent works in adversarial robustness have proposed defenses to improve the robustness of a single model against the union of multiple perturbation types. However, these methods still suffer significant trade-offs compared to the ones specifi-cally trained to be robust against a single perturbation type. In this work, we introduce the problem of categorizing adversarial examples based on their perturbation types. We first theoretically show on a toy task that adversarial examples of different perturbation types constitute different distributions— making it possible to distinguish them. We support these arguments with experimental validation on multiple (cid:96) p attacks and common corruptions. Instead of training a single classifier, we propose P ROTECTOR , a two-stage pipeline that first cat-egorizes the perturbation type of the input, and then makes the final prediction using the classifier specifically trained against the predicted perturbation type. We theoretically show that at test time the adversary faces a natural trade-off between fool-ing the perturbation classifier and the succeeding classifier optimized with perturbation-specific adversarial training. This makes it challenging for an adversary to plant strong attacks against the whole pipeline. Experiments on MNIST and CIFAR-10 show that P ROTECTOR outperforms prior adversarial training-based defenses by over 5% when tested against the union of (cid:96) 1 , (cid:96) 2 , (cid:96) ∞ attacks. Additionally, our method extends to a more diverse attack suite, also showing large robustness gains against multiple (cid:96) p , spatial and recolor attacks.

Computer Science

Florian Tramèr,Dan Boneh

DOI: https://doi.org/10.48550/arXiv.1904.13000

2019-10-18

Abstract:Defenses against adversarial examples, such as adversarial training, are typically tailored to a single perturbation type (e.g., small $\ell_\infty$-noise). For other perturbations, these defenses offer no guarantees and, at times, even increase the model's vulnerability. Our aim is to understand the reasons underlying this robustness trade-off, and to train models that are simultaneously robust to multiple perturbation types. We prove that a trade-off in robustness to different types of $\ell_p$-bounded and spatial perturbations must exist in a natural and simple statistical setting. We corroborate our formal analysis by demonstrating similar robustness trade-offs on MNIST and CIFAR10. Building upon new multi-perturbation adversarial training schemes, and a novel efficient attack for finding $\ell_1$-bounded adversarial examples, we show that no model trained against multiple attacks achieves robustness competitive with that of models trained on each attack individually. In particular, we uncover a pernicious gradient-masking phenomenon on MNIST, which causes adversarial training with first-order $\ell_\infty, \ell_1$ and $\ell_2$ adversaries to achieve merely $50\%$ accuracy. Our results question the viability and computational scalability of extending adversarial robustness, and adversarial training, to multiple perturbation types.

Machine Learning,Cryptography and Security

Alexander Robey,Hamed Hassani,George J. Pappas

DOI: https://doi.org/10.48550/arXiv.2005.10247

2020-11-02

Abstract:While deep learning has resulted in major breakthroughs in many application domains, the frameworks commonly used in deep learning remain fragile to artificially-crafted and imperceptible changes in the data. In response to this fragility, adversarial training has emerged as a principled approach for enhancing the robustness of deep learning with respect to norm-bounded perturbations. However, there are other sources of fragility for deep learning that are arguably more common and less thoroughly studied. Indeed, natural variation such as lighting or weather conditions can significantly degrade the accuracy of trained neural networks, proving that such natural variation presents a significant challenge for deep learning. In this paper, we propose a paradigm shift from perturbation-based adversarial robustness toward model-based robust deep learning. Our objective is to provide general training algorithms that can be used to train deep neural networks to be robust against natural variation in data. Critical to our paradigm is first obtaining a model of natural variation which can be used to vary data over a range of natural conditions. Such models may be either known a priori or else learned from data. In the latter case, we show that deep generative models can be used to learn models of natural variation that are consistent with realistic conditions. We then exploit such models in three novel model-based robust training algorithms in order to enhance the robustness of deep learning with respect to the given model. Our extensive experiments show that across a variety of naturally-occurring conditions and across various datasets, deep neural networks trained with our model-based algorithms significantly outperform both standard deep learning algorithms as well as norm-bounded robust deep learning algorithms.

Machine Learning,Computer Vision and Pattern Recognition

Changming Xu,Gagandeep Singh

2023-06-06

Abstract:Universal Adversarial Perturbations (UAPs) are imperceptible, image-agnostic vectors that cause deep neural networks (DNNs) to misclassify inputs with high probability. In practical attack scenarios, adversarial perturbations may undergo transformations such as changes in pixel intensity, scaling, etc. before being added to DNN inputs. Existing methods do not create UAPs robust to these real-world transformations, thereby limiting their applicability in practical attack scenarios. In this work, we introduce and formulate UAPs robust against real-world transformations. We build an iterative algorithm using probabilistic robustness bounds and construct such UAPs robust to transformations generated by composing arbitrary sub-differentiable transformation functions. We perform an extensive evaluation on the popular CIFAR-10 and ILSVRC 2012 datasets measuring our UAPs' robustness under a wide range common, real-world transformations such as rotation, contrast changes, etc. We further show that by using a set of primitive transformations our method can generalize well to unseen transformations such as fog, JPEG compression, etc. Our results show that our method can generate UAPs up to 23% more robust than state-of-the-art baselines.

Machine Learning,Cryptography and Security

Chaojian Yu,Bo Han,Mingming Gong,Li Shen,Shiming Ge,Bo Du,Tongliang Liu

DOI: https://doi.org/10.48550/arXiv.2205.14826

IF: 5.414

2022-05-30

Machine Learning

Abstract:Overfitting widely exists in adversarial robust training of deep networks. An effective remedy is adversarial weight perturbation, which injects the worst-case weight perturbation during network training by maximizing the classification loss on adversarial examples. Adversarial weight perturbation helps reduce the robust generalization gap; however, it also undermines the robustness improvement. A criterion that regulates the weight perturbation is therefore crucial for adversarial training. In this paper, we propose such a criterion, namely Loss Stationary Condition (LSC) for constrained perturbation. With LSC, we find that it is essential to conduct weight perturbation on adversarial data with small classification loss to eliminate robust overfitting. Weight perturbation on adversarial data with large classification loss is not necessary and may even lead to poor robustness. Based on these observations, we propose a robust perturbation strategy to constrain the extent of weight perturbation. The perturbation strategy prevents deep networks from overfitting while avoiding the side effect of excessive weight perturbation, significantly improving the robustness of adversarial training. Extensive experiments demonstrate the superiority of the proposed method over the state-of-the-art adversarial training methods.

Wei Dai,Daniel Berleant

DOI: https://doi.org/10.48550/arXiv.2203.01323

2022-03-02

Abstract:Accuracies of deep learning (DL) classifiers are often unstable in that they may change significantly when retested on adversarial images, imperfect images, or perturbed images. This paper adds to the fundamental body of work on benchmarking the robustness of DL classifiers on defective images. To measure robust DL classifiers, previous research reported on single-factor corruption. We created comprehensive 69 benchmarking image sets, including a clean set, sets with single factor perturbations, and sets with two-factor perturbation conditions. The state-of-the-art two-factor perturbation includes (a) two digital perturbations (salt & pepper noise and Gaussian noise) applied in both sequences, and (b) one digital perturbation (salt & pepper noise) and a geometric perturbation (rotation) applied in both sequences. Previous research evaluating DL classifiers has often used top-1/top-5 accuracy. We innovate a new two-dimensional, statistical matrix to evaluating robustness of DL classifiers. Also, we introduce a new visualization tool, including minimum accuracy, maximum accuracy, mean accuracies, and coefficient of variation (CV), for benchmarking robustness of DL classifiers. Comparing with single factor corruption, we first report that using two-factor perturbed images improves both robustness and accuracy of DL classifiers. All source codes and related image sets are shared on the Website at <a class="link-external link-http" href="http://cslinux.semo.edu/david/data" rel="external noopener nofollow">this http URL</a> to support future academic research and industry projects.

Computer Vision and Pattern Recognition,Artificial Intelligence,Graphics

Nilantha Premakumara,Brian Jalaian,Niranjan Suri,Hooman Samani

2023-04-21

Abstract:Robustness against real-world distribution shifts is crucial for the successful deployment of object detection models in practical applications. In this paper, we address the problem of assessing and enhancing the robustness of object detection models against natural perturbations, such as varying lighting conditions, blur, and brightness. We analyze four state-of-the-art deep neural network models, Detr-ResNet-101, Detr-ResNet-50, YOLOv4, and YOLOv4-tiny, using the COCO 2017 dataset and ExDark dataset. By simulating synthetic perturbations with the AugLy package, we systematically explore the optimal level of synthetic perturbation required to improve the models robustness through data augmentation techniques. Our comprehensive ablation study meticulously evaluates the impact of synthetic perturbations on object detection models performance against real-world distribution shifts, establishing a tangible connection between synthetic augmentation and real-world robustness. Our findings not only substantiate the effectiveness of synthetic perturbations in improving model robustness, but also provide valuable insights for researchers and practitioners in developing more robust and reliable object detection models tailored for real-world applications.

Computer Vision and Pattern Recognition

Rujing Yao,Ou Wu

DOI: https://doi.org/10.1145/3644391

IF: 4.157

2024-02-03

ACM Transactions on Knowledge Discovery from Data

Abstract:Weighting strategy prevails in machine learning. For example, a common approach in robust machine learning is to exert low weights on samples which are likely to be noisy or quite hard. This study summarizes another less-explored strategy, namely, perturbation. Various incarnations of perturbation have been utilized but it has not been explicitly revealed. Learning with perturbation is called perturbation learning and a systematic taxonomy is constructed for it in this study. In our taxonomy, learning with perturbation is divided on the basis of the perturbation targets, directions, inference manners, and granularity levels. Many existing learning algorithms including some classical ones can be understood with the constructed taxonomy. Alternatively, these algorithms share the same component, namely, perturbation in their procedures. Furthermore, a family of new learning algorithms can be obtained by varying existing learning algorithms with our taxonomy. Specifically, three concrete new learning algorithms are proposed for robust machine learning. Extensive experiments on image classification and text sentiment analysis verify the effectiveness of the three new algorithms. Learning with perturbation can also be used in other various learning scenarios, such as imbalanced learning, clustering, regression, and so on.

computer science, information systems, software engineering

Soichiro Kumano,Hiroshi Kera,Toshihiko Yamasaki

2024-02-16

Abstract:It is not fully understood why adversarial examples can deceive neural networks and transfer between different networks. To elucidate this, several studies have hypothesized that adversarial perturbations, while appearing as noises, contain class features. This is supported by empirical evidence showing that networks trained on mislabeled adversarial examples can still generalize well to correctly labeled test samples. However, a theoretical understanding of how perturbations include class features and contribute to generalization is limited. In this study, we provide a theoretical framework for understanding learning from perturbations using a one-hidden-layer network trained on mutually orthogonal samples. Our results highlight that various adversarial perturbations, even perturbations of a few pixels, contain sufficient class features for generalization. Moreover, we reveal that the decision boundary when learning from perturbations matches that from standard samples except for specific regions under mild conditions. The code is available at

Machine Learning,Computer Vision and Pattern Recognition

Jie Wang,Zili Wu,Minyan Lu,Jun Ai

DOI: https://doi.org/10.3390/s24154874

2024-07-26

Abstract:The vulnerability of modern neural networks to random noise and deliberate attacks has raised concerns about their robustness, particularly as they are increasingly utilized in safety- and security-critical applications. Although recent research efforts were made to enhance robustness through retraining with adversarial examples or employing data augmentation techniques, a comprehensive investigation into the effects of training data perturbations on model robustness remains lacking. This paper presents the first extensive empirical study investigating the influence of data perturbations during model retraining. The experimental analysis focuses on both random and adversarial robustness, following established practices in the field of robustness analysis. Various types of perturbations in different aspects of the dataset are explored, including input, label, and sampling distribution. Single-factor and multi-factor experiments are conducted to assess individual perturbations and their combinations. The findings provide insights into constructing high-quality training datasets for optimizing robustness and recommend the appropriate degree of training set perturbations that balance robustness and correctness, and contribute to understanding model robustness in deep learning and offer practical guidance for enhancing model performance through perturbed retraining, promoting the development of more reliable and trustworthy deep learning systems for safety-critical applications.

Zifan Song,Xiao Gong,Guosheng Hu,Cairong Zhao

2023-01-01

Abstract:Image perturbation technique is widely used to generate adversarial examples to attack networks, greatly decreasing the performance of networks. Unlike the existing works, in this paper, we introduce a novel framework Deep Perturbation Learning (DPL), the new insights into understanding image perturbations, to enhance the performance of networks rather than decrease the performance. Specifically, we learn image perturbations to amend the data distribution of training set to improve the performance of networks. This optimization w.r.t data distribution is non-trivial. To approach this, we tactfully construct a differentiable optimization target w.r.t. image perturbations via minimizing the empirical risk. Then we propose an alternating optimization of the network weights and perturbations. DPL can easily be adapted to a wide spectrum of downstream tasks and backbone networks. Extensive experiments demonstrate the effectiveness of our DPL on 6 datasets (CIFAR-10, CIFAR-100, ImageNet, MS-COCO, PASCAL VOC, and SBD) over 3 popular vision tasks (image classification, object detection, and semantic segmentation) with different backbone architectures ( e.g. , ResNet, MobileNet, and ViT).

Liang Tong,Minzhe Guo,Atul Prakash,Yevgeniy Vorobeychik

DOI: https://doi.org/10.48550/arXiv.2005.04272

2020-10-09

Abstract:Despite the remarkable success of deep neural networks, significant concerns have emerged about their robustness to adversarial perturbations to inputs. While most attacks aim to ensure that these are imperceptible, physical perturbation attacks typically aim for being unsuspicious, even if perceptible. However, there is no universal notion of what it means for adversarial examples to be unsuspicious. We propose an approach for modeling suspiciousness by leveraging cognitive salience. Specifically, we split an image into foreground (salient region) and background (the rest), and allow significantly larger adversarial perturbations in the background, while ensuring that cognitive salience of background remains low. We describe how to compute the resulting non-salience-preserving dual-perturbation attacks on classifiers. We then experimentally demonstrate that our attacks indeed do not significantly change perceptual salience of the background, but are highly effective against classifiers robust to conventional attacks. Furthermore, we show that adversarial training with dual-perturbation attacks yields classifiers that are more robust to these than state-of-the-art robust learning approaches, and comparable in terms of robustness to conventional attacks.

Machine Learning,Cryptography and Security

Robert Bassett,Mitchell Graves,Patrick Reilly

DOI: https://doi.org/10.48550/arXiv.2008.12454

2021-03-23

Abstract:Adversarial perturbation of images, in which a source image is deliberately modified with the intent of causing a classifier to misclassify the image, provides important insight into the robustness of image classifiers. In this work we develop two new methods for constructing adversarial perturbations, both of which are motivated by minimizing human ability to detect changes between the perturbed and source image. The first of these, the Edge-Aware method, reduces the magnitude of perturbations permitted in smooth regions of an image where changes are more easily detected. Our second method, the Color-Aware method, performs the perturbation in a color space which accurately captures human ability to distinguish differences in colors, thus reducing the perceived change. The Color-Aware and Edge-Aware methods can also be implemented simultaneously, resulting in image perturbations which account for both human color perception and sensitivity to changes in homogeneous regions. Because Edge-Aware and Color-Aware modifications exist for many image perturbations techniques, we also focus on computation to demonstrate their potential for use within more complex perturbation schemes. We empirically demonstrate that the Color-Aware and Edge-Aware perturbations we consider effectively cause misclassification, are less distinguishable to human perception, and are as easy to compute as the most efficient image perturbation techniques. Code and demo available at <a class="link-external link-https" href="https://github.com/rbassett3/Color-and-Edge-Aware-Perturbations" rel="external noopener nofollow">this https URL</a>

Computer Vision and Pattern Recognition,Image and Video Processing,Machine Learning

Kun-Peng Ning,Lue Tao,Songcan Chen,Sheng-Jun Huang

DOI: https://doi.org/10.1609/aaai.v35i10.17106

2021-01-01

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:In addition to high accuracy, robustness is becoming increasingly important for machine learning models in various applications. Recently, much research has been devoted to improving the model robustness by training with noise perturbations. Most existing studies assume a fixed perturbation level for all training examples, which however hardly holds in real tasks. In fact, excessive perturbations may destroy the discriminative content of an example, while deficient perturbations may fail to provide helpful information for improving the robustness. Motivated by this observation, we propose to adaptively adjust the perturbation levels for each example in the training process. Specifically, a novel active learning framework is proposed to allow the model to interactively query the correct perturbation level from human experts. By designing a cost-effective sampling strategy along with a new query type, the robustness can be significantly improved with a few queries. Both theoretical analysis and experimental studies validate the effectiveness of the proposed approach.

Qi Liang,Qiang Li,Weizhi Nie

DOI: https://doi.org/10.1016/j.image.2022.116659

2022-01-01

Abstract:Deep neural networks achieve outstanding performance in many tasks, so they have been widely used in many applications. However, the vulnerability of deep neural networks will produce many security threats, which drives us to provide sufficient attention to adversarial robustness. Many researchers have paid attention to addressing this problem based on the perturbation injection method, which may fail to consider the content of images that correspond to the perturbed feature while only focusing on their classification scores. In general, the existing methods often improve the robustness of the model at the expense of accuracy. In this paper, we propose LD-GAN, a novel framework to improve the adversarial robustness by learning perturbations and guaranteeing classification accuracy. The classic GAN structure is employed in this work. First, we utilize a generative model to reconstruct a training image from the corresponding perturbed feature. Then, the discriminative model is utilized to control the category. The purpose is to control the magnitude of noise addition and ensure that the noise addition does not fundamentally change the feature distribution of the original category. More specifically, we utilize the soft-attention model in the perturbation-injection module, which generates noise according to different layer concerns and improves the flexibility of the noise parameters. Extensive white-box and black-box attack experiments on CIFAR-10 and CIF-100 with state-of-the-art defense methods show the effectiveness of our method.

Chuanxi Chen,Dengpan Ye,Hao Wang,Long Tang,Yue Xu

DOI: https://doi.org/10.1109/trustcom56396.2022.00035

2022-01-01

Abstract:Recent works have demonstrated that neural networks are vulnerable to adversarial attacks, while adversarial training is promising for improving robustness of deep networks. However, these models still remain vulnerable to new types of attacks not seen due to representative general samples may not be provided during training. Moreover, substantially larger datasets are necessary in adversarial robust models than those required for standard training where labeled data is expensive. In this work, we propose a novel approach to adversarial robustness, which establishes on the insights from min-max optimization that more powerful adversarial perturbations lead to more robust defense. Our algorithm is called Adversarial Training with Multidimensional Perturbations (ATMP), aims at guiding networks learn strong representations through minimizing the distance between differently augmented views via adopting an innovative contrastive learning objective function in the latent space. By perturbing the representations corresponding to key robust features, more powerful adversarial perturbations could be obtained in self-supervised form during adversarial training. Besides, we can avoid label leaking to some extent because no label information is required in generating adversarial examples. Extensive experimental results on common benchmarks show that our method can achieve high robustness against various of representative adversarial attacks. We also compare it with the existing state-of-the-art techniques, and the experiments indicate that our method is superior.

Hanjie Wu,Yongtuo Liu,Hongmin Cai,Shengfeng He

DOI: https://doi.org/10.1145/3478024

2022-01-01

Abstract:AbstractPresent studies have discovered that state-of-the-art deep learning models can be attacked by small but well-designed perturbations. Existing attack algorithms for the image captioning task is time-consuming, and their generated adversarial examples cannot transfer well to other models. To generate adversarial examples faster and stronger, we propose to learn the perturbations by a generative model that is governed by three novel loss functions. Image feature distortion loss is designed to maximize the encoded image feature distance between original images and the corresponding adversarial examples at the image domain, and local-global mismatching loss is introduced to separate the mapping encoding representation of the adversarial images and the ground true captions from a local and global perspective in the common semantic space as far as possible cross image and caption domain. Language diversity loss is to make the image captions generated by the adversarial examples as different as possible from the correct image caption at the language domain. Extensive experiments show that our proposed generative model can efficiently generate adversarial examples that successfully generalize to attack image captioning models trained on unseen large-scale datasets or with different architectures, or even the image captioning commercial service.