Zhe Zhao,Guangke Chen,Jingyi Wang,Yiwei Yang,Fu Song,Jun Sun

DOI: https://doi.org/10.1145/3460319.3464822

2021-01-01

Abstract:As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.

Yinpeng Dong,Zhijie Deng,Tianyu Pang,Jun Zhu,Hang Su

2020-01-01

Abstract:Adversarial training (AT) is among the most effective techniques to improve model robustness by augmenting training data with adversarial examples. However, most existing AT methods adopt a specific attack to craft adversarial examples, leading to the unreliable robustness against other unseen attacks. Besides, a single attack algorithm could be insufficient to explore the space of perturbations. In this paper, we introduce adversarial distributional training (ADT), a novel framework for learning robust models. ADT is formulated as a minimax optimization problem, where the inner maximization aims to learn an adversarial distribution to characterize the potential adversarial examples around a natural one under an entropic regularizer, and the outer minimization aims to train robust models by minimizing the expected loss over the worst-case adversarial distributions. Through a theoretical analysis, we develop a general algorithm for solving ADT, and present three approaches for parameterizing the adversarial distributions, ranging from the typical Gaussian distributions to the flexible implicit ones. Empirical results on several benchmarks validate the effectiveness of ADT compared with the state-of-the-art AT methods.

Daiwei Yu,Zhuorong Li,Lina Wei,Canghong Jin,Yun Zhang,Sixian Chan

2024-03-14

Abstract:Adversarial training (AT) is currently one of the most effective ways to obtain the robustness of deep neural networks against adversarial attacks. However, most AT methods suffer from robust overfitting, i.e., a significant generalization gap in adversarial robustness between the training and testing curves. In this paper, we first identify a connection between robust overfitting and the excessive memorization of noisy labels in AT from a view of gradient norm. As such label noise is mainly caused by a distribution mismatch and improper label assignments, we are motivated to propose a label refinement approach for AT. Specifically, our Self-Guided Label Refinement first self-refines a more accurate and informative label distribution from over-confident hard labels, and then it calibrates the training by dynamically incorporating knowledge from self-distilled models into the current model and thus requiring no external teachers. Empirical results demonstrate that our method can simultaneously boost the standard accuracy and robust performance across multiple benchmark datasets, attack types, and architectures. In addition, we also provide a set of analyses from the perspectives of information theory to dive into our method and suggest the importance of soft labels for robust generalization.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Bojia Zi,Shihao Zhao,Xingjun Ma,Yu-Gang Jiang

DOI: https://doi.org/10.1109/iccv48922.2021.01613

2021-01-01

Abstract:Adversarial training is one effective approach for training robust deep neural networks against adversarial attacks. While being able to bring reliable robustness, adversarial training (AT) methods in general favor high capacity models, i.e., the larger the model the better the robustness. This tends to limit their effectiveness on small models, which are more preferable in scenarios where storage or computing resources are very limited (e.g., mobile devices). In this paper, we leverage the concept of knowledge distillation to improve the robustness of small models by distilling from adversarially trained large models. We first revisit several state-of-the-art AT methods from a distillation perspective and identify one common technique that can lead to improved robustness: the use of robust soft labels - predictions of a robust model. Following this observation, we propose a novel adversarial robustness distillation method called Robust Soft Label Adversarial Distillation (RSLAD) to train robust small student models. RSLAD fully exploits the robust soft labels produced by a robust (adversariallytrained) large teacher model to guide the student's learning on both natural and adversarial examples in all loss terms. We empirically demonstrate the effectiveness of our RSLAD approach over existing adversarial training and distillation methods in improving the robustness of small models against state-of-the-art attacks including the AutoAttack. We also provide a set of understandings on our RSLAD and the importance of robust soft labels for adversarial robustness distillation. Code: https://github.com/zibojia/RSLAD.

Dongyoon Yang,Insung Kong,Yongdai Kim

2023-08-08

Abstract:Adversarial robustness is a research area that has recently received a lot of attention in the quest for trustworthy artificial intelligence. However, recent works on adversarial robustness have focused on supervised learning where it is assumed that labeled data is plentiful. In this paper, we investigate semi-supervised adversarial training where labeled data is scarce. We derive two upper bounds for the robust risk and propose a regularization term for unlabeled data motivated by these two upper bounds. Then, we develop a semi-supervised adversarial training algorithm that combines the proposed regularization term with knowledge distillation using a semi-supervised teacher (i.e., a teacher model trained using a semi-supervised learning algorithm). Our experiments show that our proposed algorithm achieves state-of-the-art performance with significant margins compared to existing algorithms. In particular, compared to supervised learning algorithms, performance of our proposed algorithm is not much worse even when the amount of labeled data is very small. For example, our algorithm with only 8\% labeled data is comparable to supervised adversarial training algorithms that use all labeled data, both in terms of standard and robust accuracies on CIFAR-10.

Machine Learning,Artificial Intelligence

Ziang Yan,Yiwen Guo,Changshui Zhang

DOI: https://doi.org/10.48550/arXiv.1803.00404

2018-02-23

Computer Vision and Pattern Recognition

Abstract:Despite the efficacy on a variety of computer vision tasks, deep neural networks (DNNs) are vulnerable to adversarial attacks, limiting their applications in security-critical systems. Recent works have shown the possibility of generating imperceptibly perturbed image inputs (a.k.a., adversarial examples) to fool well-trained DNN classifiers into making arbitrary predictions. To address this problem, we propose a training recipe named "deep defense". Our core idea is to integrate an adversarial perturbation-based regularizer into the classification objective, such that the obtained models learn to resist potential attacks, directly and precisely. The whole optimization problem is solved just like training a recursive network. Experimental results demonstrate that our method outperforms training with adversarial/Parseval regularizations by large margins on various datasets (including MNIST, CIFAR-10 and ImageNet) and different DNN architectures. Code and models for reproducing our results are available at https://github.com/ZiangYan/deepdefense.pytorch

Ziang Yan,Yiwen Guo,Changshui Zhang

2018-01-01

Abstract:Despite the efficacy on a variety of computer vision tasks, deep neural networks (DNNs) are vulnerable to adversarial attacks, limiting their applications in security-critical systems. Recent works have shown the possibility of generating imperceptibly perturbed image inputs (a.k.a., adversarial examples) to fool well-trained DNN models into making arbitrary predictions. To address this problem, we propose a training recipe named DeepDefense. Our core idea is to integrate an adversarial perturbation-based regularizer into the classification objective, such that the obtained models learn to resist potential attacks, directly and precisely. The whole optimization problem is solved just like training a recursive network. Experimental results demonstrate that our method outperforms the state-of-the-arts by large margins on various datasets (including MNIST, CIFAR-10 and ImageNet) and different DNN architectures. Code and models for reproducing our results will be made publicly available.

Chaofei Li,Ziyuan Zhu,Ruicheng Niu,Yuting Zhao

DOI: https://doi.org/10.1016/j.cose.2024.103899

IF: 5.105

2024-05-15

Computers & Security

Abstract:Due to the security concerns arising from adversarial vulnerability in deep metric learning models, it is essential to enhance their adversarial robustness for secure neural network software development. Existing defense strategies utilize adversarial triplets to enhance adversarial robustness but sacrifice benign performance. This paper proposes a novel framework for enhancing adversarial robustness and maintaining benign performance by introducing the concept of Neural Discrete Adversarial Training (NDAT) for deep metric learning. NDAT employs VQGAN to transform the adversarial triplets into discrete inputs and then minimizes metric loss function on discrete adversarial triplets. NDAT aligns discrete adversarial examples more closely with clean samples, significantly reducing distribution deviation from their clean counterparts. Moreover, the visual explanations reveal that NDAT maintains consistent attention maps between benign and adversarial triplets and concentrates on structure details and object location perturbations. To demonstrate the effectiveness of our approach, we combine NDAT with popular adversarial methods under various perturbation iterations and intensities. Experiment evaluations on three benchmark databases illustrate that our proposed framework for deep metric learning significantly outperforms state-of-the-art defense approaches in terms of both adversarial robustness and benign performance.

computer science, information systems

Shiji Zhao,Jie Yu,Zhenlong Sun,Bo Zhang,Xingxing Wei

DOI: https://doi.org/10.1007/978-3-031-19772-7_34

2022-01-01

Abstract:Adversarial training is an effective approach for improving the robustness of deep neural networks against adversarial attacks. Although bringing reliable robustness, adversarial training (AT) will reduce the performance of identifying clean examples. Meanwhile, Adversarial training can bring more robustness for large models than small models. To improve the robust and clean accuracy of small models, we introduce the Multi-Teacher Adversarial Robustness Distillation (MTARD) to guide the adversarial training process of small models. Specifically, MTARD uses multiple large teacher models, including an adversarial teacher and a clean teacher to guide a small student model in the adversarial training by knowledge distillation. In addition, we design a dynamic training algorithm to balance the influence between the adversarial teacher and clean teacher models. A series of experiments demonstrate that our MTARD can outperform the state-of-the-art adversarial training and distillation methods against various adversarial attacks.

Peng-Fei Zhang,Zi Huang,Xin Luo,Pengfei Zhao

DOI: https://doi.org/10.1145/3551626.3564934

2022-01-01

Abstract:Despite great success achieved, deep learning methods are vulnerable to noise in the training dataset, including adversarial perturbations and annotation noise. These harmful factors significantly influence the learning process of deep models, leading to less confident models. However, existing methods have not yet studied this practical and challenging issue. In this paper, we propose a novel robust learning method, i.e., Two-Pronged Defense (TPD), which is capable of eliminating negative effects of both data perturbations and label noise during the learning process. On the one hand, to defend against delusive adversarial examples, the proposed method designs an asymmetric adversarial contrastive learning strategy to craft worse-case noisy example for original training data, and train the model to align the semantic between the perturbed data and the original data. In light of this, the TPD would be able to improve the generalization ability of the model on the potential adversarial examples. On the other hand, to combat noisy labels, the TPD applies semi-supervised learning by identifying and discarding noisy labels via a novel designed identification method. Extensive experiments on benchmarks demonstrate the incapability of existing methods and the effectiveness of the proposed method when facing both data and label noise. This work is the very first attempt in learning with data and label noise, and we hope it can pave the way for future studies in related fields.

Chuanxi Chen,Dengpan Ye,Hao Wang,Long Tang,Yue Xu

DOI: https://doi.org/10.1109/trustcom56396.2022.00035

2022-01-01

Abstract:Recent works have demonstrated that neural networks are vulnerable to adversarial attacks, while adversarial training is promising for improving robustness of deep networks. However, these models still remain vulnerable to new types of attacks not seen due to representative general samples may not be provided during training. Moreover, substantially larger datasets are necessary in adversarial robust models than those required for standard training where labeled data is expensive. In this work, we propose a novel approach to adversarial robustness, which establishes on the insights from min-max optimization that more powerful adversarial perturbations lead to more robust defense. Our algorithm is called Adversarial Training with Multidimensional Perturbations (ATMP), aims at guiding networks learn strong representations through minimizing the distance between differently augmented views via adopting an innovative contrastive learning objective function in the latent space. By perturbing the representations corresponding to key robust features, more powerful adversarial perturbations could be obtained in self-supervised form during adversarial training. Besides, we can avoid label leaking to some extent because no label information is required in generating adversarial examples. Extensive experimental results on common benchmarks show that our method can achieve high robustness against various of representative adversarial attacks. We also compare it with the existing state-of-the-art techniques, and the experiments indicate that our method is superior.

Bingzhi Chen,Shuobin Lin,Yishu Liu,Zheng Zhang,Guangming Lu,Lewei He

DOI: https://doi.org/10.1109/icme57554.2024.10687768

2024-01-01

Abstract:Despite the progress achieved by existing adversarial distillation (AD) approaches, most mainstream models suffer from inadequate adversarial robustness, due to the challenges of fixed attack strength and unreliable teacher guidance. In this paper, we propose a novel Strength-Dependent Adaptive Regularization (SDAR) paradigm to reinforce the function of adversarial distillation with strength-adaptive adversarial attack (SAA) and multi-dimensional knowledge distillation (MKD). Different from the traditional adversarial training (AT) methods, the proposed SAA scheme dynamically assigns an adaptive and efficient attack strength for each instance, which aims to facilitate smoother classification boundaries. By incorporating dynamic strength coefficients, a comprehensive MKD strategy is designed to fully explore the valuable context information and narrow distribution discrepancies across teacher-student domains. Particularly, our SDAR paradigm can seamlessly integrate with the current AD frameworks, further enhancing the adversarial robustness of deep learning models. Extensive experiments on multiple benchmark datasets consistently demonstrate the superiority of SDAR over state-of-the-art baselines.

Junhao Dong,Xinghua Qu,Z. Jane Wang,Yew-Soon Ong

2024-11-05

Abstract:Despite remarkable achievements in deep learning across various domains, its inherent vulnerability to adversarial examples still remains a critical concern for practical deployment. Adversarial training has emerged as one of the most effective defensive techniques for improving model robustness against such malicious inputs. However, existing adversarial training schemes often lead to limited generalization ability against underlying adversaries with diversity due to their overreliance on a point-by-point augmentation strategy by mapping each clean example to its adversarial counterpart during training. In addition, adversarial examples can induce significant disruptions in the statistical information w.r.t. the target model, thereby introducing substantial uncertainty and challenges to modeling the distribution of adversarial examples. To circumvent these issues, in this paper, we propose a novel uncertainty-aware distributional adversarial training method, which enforces adversary modeling by leveraging both the statistical information of adversarial examples and its corresponding uncertainty estimation, with the goal of augmenting the diversity of adversaries. Considering the potentially negative impact induced by aligning adversaries to misclassified clean examples, we also refine the alignment reference based on the statistical proximity to clean examples during adversarial training, thereby reframing adversarial training within a distribution-to-distribution matching framework interacted between the clean and adversarial domains. Furthermore, we design an introspective gradient alignment approach via matching input gradients between these domains without introducing external models. Extensive experiments across four benchmark datasets and various network architectures demonstrate that our approach achieves state-of-the-art adversarial robustness and maintains natural performance.

Machine Learning,Computer Vision and Pattern Recognition

Lin Li,Michael Spratling

2023-03-27

Abstract:Deep neural networks can be easily fooled into making incorrect predictions through corruption of the input by adversarial perturbations: human-imperceptible artificial noise. So far adversarial training has been the most successful defense against such adversarial attacks. This work focuses on improving adversarial training to boost adversarial robustness. We first analyze, from an instance-wise perspective, how adversarial vulnerability evolves during adversarial training. We find that during training an overall reduction of adversarial loss is achieved by sacrificing a considerable proportion of training samples to be more vulnerable to adversarial attack, which results in an uneven distribution of adversarial vulnerability among data. Such "uneven vulnerability", is prevalent across several popular robust training methods and, more importantly, relates to overfitting in adversarial training. Motivated by this observation, we propose a new adversarial training method: Instance-adaptive Smoothness Enhanced Adversarial Training (ISEAT). It jointly smooths both input and weight loss landscapes in an adaptive, instance-specific, way to enhance robustness more for those samples with higher adversarial vulnerability. Extensive experiments demonstrate the superiority of our method over existing defense methods. Noticeably, our method, when combined with the latest data augmentation and semi-supervised learning techniques, achieves state-of-the-art robustness against $\ell_{\infty}$-norm constrained attacks on CIFAR10 of 59.32% for Wide ResNet34-10 without extra data, and 61.55% for Wide ResNet28-10 with extra data. Code is available at <a class="link-external link-https" href="https://github.com/TreeLLi/Instance-adaptive-Smoothness-Enhanced-AT" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition,Artificial Intelligence,Machine Learning

Jiawen Li,Kun Fang,Xiaolin Huang,Jie Yang

DOI: https://doi.org/10.1016/j.cose.2023.103411

IF: 5.105

2023-01-01

Computers & Security

Abstract:Adversarial distillation (AD) which combines adversarial training with knowledge distillation has become a powerf u l procedu r e to mitigate the effects of adversarial examples to deep neural networks, which aims at distilling a robust student network from a pre-trained robust teacher network. In AD, the teacher's reliabilit y has been a crucial problem and recent work incorporates a self-distillation loss on the student into the AD framework, encouraging the student to partially trust the teacher and gradually trust itsel f more. However, the only key factor to control this trust level cannot be adaptive enough for different training samples, guiding the student to trust itsel f inappropriately and inspiring us to pursue a better w a y to obtain more reliable supervision. In this paper we revisit the performance variation of al l training samples from the teacher to student, showing that previous work is not always adaptive with the distillation and can be further refined . Accordingly, a more effective and justified supervision, namely Curricular Adversarial Distillation (CAD), is proposed to help boost the self-distillation process. In CAD, the KL divergences between both the clean and adversarial outputs of teacher and the smoothed labels are calculated for the supervision to address the teacher's unreliabilit y in the self-distillation. Besides, the smoothed labels follow a curriculum-style scheduler, getting smoothed to different degrees at different training stages and helping the teacher continuously be adaptive to the varying adversarial examples from student. Extensive experiments have shown the superiority of ou r strateg y in distilling a robust student network against various attacks.

Yujing Jiang,Xingjun Ma,Sarah Monazam Erfani,James Bailey

DOI: https://doi.org/10.1109/ijcnn52387.2021.9533363

2021-01-01

Abstract:Deep neural networks (DNNs) are known to be vulnerable to adversarial examples/attacks, raising concerns about their reliability in safety-critical applications. A number of defense methods have been proposed to train robust DNNs resistant to adversarial attacks, among which adversarial training has so far demonstrated the most promising results. However, recent studies have shown that there exists an inherent tradeoff between accuracy and robustness in adversarially-trained DNNs. In this paper, we propose a novel technique Dual Head Adversarial Training (DH-AT) to further improve the robustness of existing adversarial training methods. Different from existing improved variants of adversarial training, DH-AT modifies both the architecture of the network and the training strategy to seek more robustness. Specifically, DH-AT first attaches a second network head (or branch) to one intermediate layer of the network, then uses a lightweight convolutional neural network (CNN) to aggregate the outputs of the two heads. The training strategy is also adapted to reflect the relative importance of the two heads. We empirically show, on multiple benchmark datasets, that DH-AT can bring notable robustness improvements to existing adversarial training methods. Compared with TRADES, one state-of-the-art adversarial training method, our DH-AT can improve the robustness by 3.4% against PGD40 and 2.3% against AutoAttack, and also improve the clean accuracy by 1.8%.

Yu-Yu Wu,Hung-Jui Wang,Shang-Tse Chen

2024-04-13

Abstract:In standard adversarial training, models are optimized to fit one-hot labels within allowable adversarial perturbation budgets. However, the ignorance of underlying distribution shifts brought by perturbations causes the problem of robust overfitting. To address this issue and enhance adversarial robustness, we analyze the characteristics of robust models and identify that robust models tend to produce smoother and well-calibrated outputs. Based on the observation, we propose a simple yet effective method, Annealing Self-Distillation Rectification (ADR), which generates soft labels as a better guidance mechanism that accurately reflects the distribution shift under attack during adversarial training. By utilizing ADR, we can obtain rectified distributions that significantly improve model robustness without the need for pre-trained models or extensive extra computation. Moreover, our method facilitates seamless plug-and-play integration with other adversarial training techniques by replacing the hard labels in their objectives. We demonstrate the efficacy of ADR through extensive experiments and strong performances across datasets.

Machine Learning,Artificial Intelligence

Zeping Ye,Zhigang Zeng,Bingrong Xu

DOI: https://doi.org/10.1109/icnc59488.2023.10462820

2023-01-01

Abstract:The deep neural network (DNN) can be fooled by introducing a small perturbation to the example. Adversarial training (AT) is proven to be one of the most effective methods to improve robustness. Although the latest works to improve AT can ensure the adversarial robustness of PGD, the exploration of the performance under more disturbances is lacking, which may lead to our misunderstanding of model generalization. Moreover, they sacrifice DNN’s performance of classifying clean examples, which is called clean performance. Research shows that overfitting will be caused by the cross-mixing of distributions between natural and adversarial examples. We discover that the primary cause of cross-mixing is using the same batch-normalization (BN) layer to normalize the natural and adversarial examples because their means and variances are substantially different. We propose a new defense method which is called probabilistic distributions alignment adversarial training (PDAT). It utilizes the model with a multi-BN structure, which contains natural BN (NBN) and adversarial BN (ABN) to normalize the natural and adversarial examples separately and calculate their corresponding probabilistic distributions. It mutually trains the model through the alignment of probabilistic distributions between NBN and ABN. The natural training (NT) process of NBN is utilized to guide the training process of ABN which is much more difficult. To ensure that the model learns the correct knowledge during the alignment process, we use dynamic weights and soft-decision schemes in the loss function. This alleviates the cross-mixing problem. We conduct experiments on CIFAR10 and CIFAR100 and verify that PDAT improves robustness across a wide range of attacks while maximally maintaining clean performance. This proves that PDAT generalizes better.

Gaoyuan Zhang,Songtao Lu,Yihua Zhang,Xiangyi Chen,Pin-Yu Chen,Quanfu Fan,Lee Martie,Lior Horesh,Mingyi Hong,Sijia Liu

DOI: https://doi.org/10.48550/arXiv.2206.06257

IF: 5.414

2022-06-13

Machine Learning

Abstract:Current deep neural networks (DNNs) are vulnerable to adversarial attacks, where adversarial perturbations to the inputs can change or manipulate classification. To defend against such attacks, an effective and popular approach, known as adversarial training (AT), has been shown to mitigate the negative impact of adversarial attacks by virtue of a min-max robust training method. While effective, it remains unclear whether it can successfully be adapted to the distributed learning context. The power of distributed optimization over multiple machines enables us to scale up robust training over large models and datasets. Spurred by that, we propose distributed adversarial training (DAT), a large-batch adversarial training framework implemented over multiple machines. We show that DAT is general, which supports training over labeled and unlabeled data, multiple types of attack generation methods, and gradient compression operations favored for distributed optimization. Theoretically, we provide, under standard conditions in the optimization theory, the convergence rate of DAT to the first-order stationary points in general non-convex settings. Empirically, we demonstrate that DAT either matches or outperforms state-of-the-art robust accuracies and achieves a graceful training speedup (e.g., on ResNet-50 under ImageNet). Codes are available at https://github.com/dat-2022/dat.