Zhenyu Liu, Garrett Gagnon, Swagath Venkataramani, Liu Liu

2024-02-07

Abstract:Deep Neural Networks (DNNs) have revolutionized a wide range of industries, from healthcare and finance to automotive, by offering unparalleled capabilities in data analysis and decision-making. Despite their transforming impact, DNNs face two critical challenges: the vulnerability to adversarial attacks and the increasing computational costs associated with more complex and larger models. In this paper, we introduce an effective method designed to simultaneously enhance adversarial robustness and execution efficiency. Unlike prior studies that enhance robustness via uniformly injecting noise, we introduce a non-uniform noise injection algorithm, strategically applied at each DNN layer to disrupt adversarial perturbations introduced in attacks. By employing approximation techniques, our approach identifies and protects essential neurons while strategically introducing noise into non-essential neurons. Our experimental results demonstrate that our method successfully enhances both robustness and efficiency across several attack scenarios, model architectures, and datasets.

Machine Learning,Artificial Intelligence,Cryptography and Security

Gehua Ma,Rui Yan,Huajin Tang

DOI: https://doi.org/10.1016/j.patter.2023.100831

2023-01-01

Abstract:Networks of spiking neurons underpin the extraordinary information-processing capabilities of the brain and have become pillar models in neuromorphic artificial intelligence. Despite extensive research on spiking neural networks (SNNs), most studies are established on deterministic models, overlooking the inherent non-deterministic, noisy nature of neural computations. This study introduces the noisy SNN (NSNN) and the noise-driven learning (NDL) rule by incorporating noisy neuronal dynamics to exploit the computational advantages of noisy neural processing. The NSNN provides a theoretical framework that yields scalable, flexible, and reliable computation and learning. We demonstrate that this framework leads to spiking neural models with competitive performance, improved robustness against challenging perturbations compared with deterministic SNNs, and better reproducing probabilistic computation in neural coding. Generally, this study offers a powerful and easy-to-use tool for machine learning, neuromorphic intelligence practitioners, and computational neuroscience researchers.

Saima Sharmin,Priyadarshini Panda,Syed Shakib Sarwar,Chankyu Lee,Wachirawit Ponghiran,Kaushik Roy

DOI: https://doi.org/10.1109/ijcnn.2019.8851732

2019-07-01

Abstract:In this era of machine learning models, their functionality is being threatened by adversarial attacks. In the face of this struggle for making artificial neural networks robust, finding a model, resilient to these attacks, is very important. In this work, we present, for the first time, a comprehensive analysis of the behavior of more bio-plausible networks, namely Spiking Neural Network (SNN) under state-of-the-art adversarial tests. We perform a comparative study of the accuracy degradation between conventional VGG-9 Artificial Neural Network (ANN) and equivalent spiking network with CIFAR-10 dataset in both whitebox and blackbox setting for different types of single-step and multi-step FGSM (Fast Gradient Sign Method) attacks. We demonstrate that SNNs tend to show more resiliency compared to ANN under blackbox attack scenario. Additionally, we find that SNN robustness is largely dependent on the corresponding training mechanism. We observe that SNNs trained by spike-based backpropagation are more adversarially robust than the ones obtained by ANN-to-SNN conversion rules in several whitebox and blackbox scenarios. Finally, we also propose a simple, yet, effective framework for crafting adversarial attacks from SNNs. Our results suggest that attacks crafted from SNNs following our proposed method are much stronger than those crafted from ANNs.

Jianhao Ding,Tong Bu,Zhaofei Yu,Tiejun Huang,Jian K Liu

2022-01-01

Abstract:Spiking neural networks (SNNs) are promising to be widely deployed in real-time and safety-critical applications with the advance of neuromorphic computing. Recent work has demonstrated the insensitivity of SNNs to small random perturbations due to the discrete internal information representation. The variety of training algorithms and the involvement of the temporal dimension pose more threats to the robustness of SNNs than that of typical neural networks. We account for the vulnerability of SNNs by constructing adversaries based on different differentiable approximation techniques. By deriving a Lipschitz constant specifically for the spike representation, we first theoretically answer the question of how much adversarial invulnerability is retained in SNNs. Hence, to defend against the broad attack methods, we propose a regularized adversarial training scheme with low computational overheads. SNNs can benefit from the constraint of the perturbed spike distance's amplification and the generalization on multiple adversarial $\epsilon$-neighbourhoods. Our experiments on the image recognition benchmarks have proven that our training scheme can defend against powerful adversarial attacks crafted from strong differentiable approximations. To be specific, our approach makes the black-box attacks of the Projected Gradient Descent attack nearly ineffective. We believe that our work will facilitate the spread of SNNs for safety-critical applications and help understand the robustness of the human brain.

Ayoub Arous,Andres F Lopez-Lopera,Nael Abu-Ghazaleh,Ihsen Alouani

DOI: https://doi.org/10.48550/arXiv.2312.08877

IF: 5.414

2023-12-12

Machine Learning

Abstract:In this paper, we investigate the following question: Can we obtain adversarially-trained models without training on adversarial examples? Our intuition is that training a model with inherent stochasticity, i.e., optimizing the parameters by minimizing a stochastic loss function, yields a robust expectation function that is non-stochastic. In contrast to related methods that introduce noise at the input level, our proposed approach incorporates inherent stochasticity by embedding Gaussian noise within the layers of the NN model at training time. We model the propagation of noise through the layers, introducing a closed-form stochastic loss function that encapsulates a noise variance parameter. Additionally, we contribute a formalized noise-aware gradient, enabling the optimization of model parameters while accounting for stochasticity. Our experimental results confirm that the expectation model of a stochastic architecture trained on benign distribution is adversarially robust. Interestingly, we find that the impact of the applied Gaussian noise's standard deviation on both robustness and baseline accuracy closely mirrors the impact of the noise magnitude employed in adversarial training. Our work contributes adversarially trained networks using a completely different approach, with empirically similar robustness to adversarial training.

Yu Qi,Hanwen Wang,Rui Liu,Bian Wu,Yueming Wang,Gang Pan

DOI: https://doi.org/10.1016/j.neucom.2019.04.055

IF: 6

2019-01-01

Neurocomputing

Abstract:Activity-dependent plasticity plays an important role in biological neural network learning. Unlike the backpropagation-based learning in artificial neural networks that depends on supervised signals, biological neurons adjust themselves using their own historical behaviors as a clue to benefit information processing. Inspired by this biological neural mechanism, this paper proposes a novel neuron model, named Activity-Dependent Neuron (ADN). The basic idea of ADN is to add a gate in the neuron model to control its signal conduction capability, that is, the gate will facilitate transmission of important signals while suppress trivial signals. This idea can be achieved by self-tuning of activation behaviors. We also develop an iterative training algorithm, so that the ADNs can be smoothly incorporated into deep neural networks to jointly learn with the network weights. Experimental results found that the ADNs can efficiently improve the noise-resistant capability. Compared with the state-of-the-art, it is more robust to unforeseen noises. It does not need noise data for training.

Yujia Liu,Tong Bu,Jianhao Ding,Zecheng Hao,Tiejun Huang,Zhaofei Yu

2024-05-30

Abstract:Spiking Neural Networks (SNNs) have attracted great attention for their energy-efficient operations and biologically inspired structures, offering potential advantages over Artificial Neural Networks (ANNs) in terms of energy efficiency and interpretability. Nonetheless, similar to ANNs, the robustness of SNNs remains a challenge, especially when facing adversarial attacks. Existing techniques, whether adapted from ANNs or specifically designed for SNNs, exhibit limitations in training SNNs or defending against strong attacks. In this paper, we propose a novel approach to enhance the robustness of SNNs through gradient sparsity regularization. We observe that SNNs exhibit greater resilience to random perturbations compared to adversarial perturbations, even at larger scales. Motivated by this, we aim to narrow the gap between SNNs under adversarial and random perturbations, thereby improving their overall robustness. To achieve this, we theoretically prove that this performance gap is upper bounded by the gradient sparsity of the probability associated with the true label concerning the input image, laying the groundwork for a practical strategy to train robust SNNs by regularizing the gradient sparsity. We validate the effectiveness of our approach through extensive experiments on both image-based and event-based datasets. The results demonstrate notable improvements in the robustness of SNNs. Our work highlights the importance of gradient sparsity in SNNs and its role in enhancing robustness.

Neural and Evolutionary Computing,Cryptography and Security,Computer Vision and Pattern Recognition,Machine Learning

Yang Bai,Yuyuan Zeng,Yong Jiang,Yisen Wang,Shu-Tao Xia,Weiwei Guo

DOI: https://doi.org/10.48550/arXiv.2009.11508

2020-09-25

Abstract:Deep neural networks (DNNs) have demonstrated excellent performance on various tasks, however they are under the risk of adversarial examples that can be easily generated when the target model is accessible to an attacker (white-box setting). As plenty of machine learning models have been deployed via online services that only provide query outputs from inaccessible models (e.g. Google Cloud Vision API2), black-box adversarial attacks (inaccessible target model) are of critical security concerns in practice rather than white-box ones. However, existing query-based black-box adversarial attacks often require excessive model queries to maintain a high attack success rate. Therefore, in order to improve query efficiency, we explore the distribution of adversarial examples around benign inputs with the help of image structure information characterized by a Neural Process, and propose a Neural Process based black-box adversarial attack (NP-Attack) in this paper. Extensive experiments show that NP-Attack could greatly decrease the query counts under the black-box setting.

Machine Learning

Adnan Siraj Rakin,Zhezhi He,Deliang Fan

DOI: https://doi.org/10.48550/arXiv.1811.09310

2018-11-23

Abstract:Recent development in the field of Deep Learning have exposed the underlying vulnerability of Deep Neural Network (DNN) against adversarial examples. In image classification, an adversarial example is a carefully modified image that is visually imperceptible to the original image but can cause DNN model to misclassify it. Training the network with Gaussian noise is an effective technique to perform model regularization, thus improving model robustness against input variation. Inspired by this classical method, we explore to utilize the regularization characteristic of noise injection to improve DNN's robustness against adversarial attack. In this work, we propose Parametric-Noise-Injection (PNI) which involves trainable Gaussian noise injection at each layer on either activation or weights through solving the min-max optimization problem, embedded with adversarial training. These parameters are trained explicitly to achieve improved robustness. To the best of our knowledge, this is the first work that uses trainable noise injection to improve network robustness against adversarial attacks, rather than manually configuring the injected noise level through cross-validation. The extensive results show that our proposed PNI technique effectively improves the robustness against a variety of powerful white-box and black-box attacks such as PGD, C & W, FGSM, transferable attack and ZOO attack. Last but not the least, PNI method improves both clean- and perturbed-data accuracy in comparison to the state-of-the-art defense methods, which outperforms current unbroken PGD defense by 1.1 % and 6.8 % on clean test data and perturbed test data respectively using Resnet-20 architecture.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Ling Liang,Kaidi Xu,Xing Hu,Lei Deng,Yuan Xie

DOI: https://doi.org/10.48550/arXiv.2205.01625

2022-04-12

Neural and Evolutionary Computing

Abstract:As spiking neural networks (SNNs) are deployed increasingly in real-world efficiency critical applications, the security concerns in SNNs attract more attention. Currently, researchers have already demonstrated an SNN can be attacked with adversarial examples. How to build a robust SNN becomes an urgent issue. Recently, many studies apply certified training in artificial neural networks (ANNs), which can improve the robustness of an NN model promisely. However, existing certifications cannot transfer to SNNs directly because of the distinct neuron behavior and input formats for SNNs. In this work, we first design S-IBP and S-CROWN that tackle the non-linear functions in SNNs' neuron modeling. Then, we formalize the boundaries for both digital and spike inputs. Finally, we demonstrate the efficiency of our proposed robust training method in different datasets and model architectures. Based on our experiment, we can achieve a maximum $37.7\%$ attack error reduction with $3.7\%$ original accuracy loss. To the best of our knowledge, this is the first analysis on robust training of SNNs.

Chen Li,Bipin Rajendran

DOI: https://doi.org/10.48550/arXiv.2312.05290

2023-12-08

Computer Vision and Pattern Recognition

Abstract:Recent strides in low-latency spiking neural network (SNN) algorithms have drawn significant interest, particularly due to their event-driven computing nature and fast inference capability. One of the most efficient ways to construct a low-latency SNN is by converting a pre-trained, low-bit artificial neural network (ANN) into an SNN. However, this conversion process faces two main challenges: First, converting SNNs from low-bit ANNs can lead to ``occasional noise" -- the phenomenon where occasional spikes are generated in spiking neurons where they should not be -- during inference, which significantly lowers SNN accuracy. Second, although low-latency SNNs initially show fast improvements in accuracy with time steps, these accuracy growths soon plateau, resulting in their peak accuracy lagging behind both full-precision ANNs and traditional ``long-latency SNNs'' that prioritize precision over speed. In response to these two challenges, this paper introduces a novel technique named ``noise adaptor.'' Noise adaptor can model occasional noise during training and implicitly optimize SNN accuracy, particularly at high simulation times $T$. Our research utilizes the ResNet model for a comprehensive analysis of the impact of the noise adaptor on low-latency SNNs. The results demonstrate that our method outperforms the previously reported quant-ANN-to-SNN conversion technique. We achieved an accuracy of 95.95\% within 4 time steps on CIFAR-10 using ResNet-18, and an accuracy of 74.37\% within 64 time steps on ImageNet using ResNet-50. Remarkably, these results were obtained without resorting to any noise correction methods during SNN inference, such as negative spikes or two-stage SNN simulations. Our approach significantly boosts the peak accuracy of low-latency SNNs, bringing them on par with the accuracy of full-precision ANNs. Code will be open source.

Li Xiao,Zeliang Zhang,Kuihua Huang,Jinyang Jiang,Yijie Peng

DOI: https://doi.org/10.1109/case49997.2022.9926712

IF: 6.636

2024-01-01

IEEE Transactions on Automation Science and Engineering

Abstract:Artificial neural network (ANN) has been widely used in automation. However, the vulnerability of ANN under certain attacks poses security threat for critical automation systems. Adding noises to artificial neural network has been shown to be able to improve robustness in previous work. In this work, we propose a new technique to compute the pathwise stochastic gradient estimate with respect to the standard deviation of the Gaussian noise added to each neuron of the ANN. By our proposed technique, the gradient estimation with respect to noise levels is a byproduct of the back propagation algorithm for estimating gradient with respect to synaptic weights in ANN. Thus, the noise level for each neuron can be optimized simultaneously in the processing of training the synaptic weights at nearly no extra computational cost. In numerical experiments, our proposed method can achieve significant performance improvement on robustness of several popular ANN structures under both black box and white box attacks.

Aishan Liu,Xianglong Liu,Hang Yu,Chongzhi Zhang,Qiang Liu,Dacheng Tao

DOI: https://doi.org/10.1109/tip.2021.3082317

IF: 10.6

2021-01-01

IEEE Transactions on Image Processing

Abstract:In practice, deep neural networks have been found to be vulnerable to various types of noise, such as adversarial examples and corruption. Various adversarial defense methods have accordingly been developed to improve adversarial robustness for deep models. However, simply training on data mixed with adversarial examples, most of these models still fail to defend against the generalized types of noise. Motivated by the fact that hidden layers play a highly important role in maintaining a robust model, this paper proposes a simple yet powerful training algorithm, named Adversarial Noise Propagation (ANP), which injects noise into the hidden layers in a layer-wise manner. ANP can be implemented efficiently by exploiting the nature of the backward-forward training style. Through thorough investigations, we determine that different hidden layers make different contributions to model robustness and clean accuracy, while shallow layers are comparatively more critical than deep layers. Moreover, our framework can be easily combined with other adversarial training methods to further improve model robustness by exploiting the potential of hidden layers. Extensive experiments on MNIST, CIFAR-10, CIFAR-10-C, CIFAR-10-P, and ImageNet demonstrate that ANP enables the strong robustness for deep models against both adversarial and corrupted ones, and also significantly outperforms various adversarial defense methods.

computer science, artificial intelligence,engineering, electrical & electronic

Chaoyi Ban,Linbo Shan,Gaoqi Yang,Jiajun Gao,Lindong Wu,Zongwei Wang,Yimao Cai,Ru Huang

DOI: https://doi.org/10.1109/snw63608.2024.10639247

2024-01-01

Abstract:Spiking Neural Networks (SNNs) have demonstrated significant potential in power-efficient edge computing. However, SNNs are vulnerable to adversarial attacks which seriously affects the accuracy and thus limits its application. In this study, a defense mechanism against adversarial attacks is demonstrated based on VO 2 spiking neuron. The spiking neuron circuit (SNC) can mimic the protective mechanism of neurons to effectively filter adversarial perturbations among input signals. Furthermore, we evaluate the ability of SNC-based SNNs against adversarial attacks with MNIST task. The SNC-based SNNs can effectively withstand adversarial attacks, achieving an 18.87% improvement in accuracy compared to the ReLU method under 30% disturbance. The results demonstrate that the SNC method has significant advantage in enhancing the SNN system's ability to resist adversarial attacks. This research provides an innovative solution to tackle the security issue in highly reliable neuromorphic computing.

Evgenii Zheltonozhskii,Chaim Baskin,Yaniv Nemcovsky,Brian Chmiel,Avi Mendelson,Alex M. Bronstein

DOI: https://doi.org/10.48550/arXiv.2003.02188

2020-03-20

Abstract:Even though deep learning has shown unmatched performance on various tasks, neural networks have been shown to be vulnerable to small adversarial perturbations of the input that lead to significant performance degradation. In this work we extend the idea of adding white Gaussian noise to the network weights and activations during adversarial training (PNI) to the injection of colored noise for defense against common white-box and black-box attacks. We show that our approach outperforms PNI and various previous approaches in terms of adversarial accuracy on CIFAR-10 and CIFAR-100 datasets. In addition, we provide an extensive ablation study of the proposed method justifying the chosen configurations.

Machine Learning,Computer Vision and Pattern Recognition

Keming Wu,Man Yao,Yuhong Chou,Xuerui Qiu,Rui Yang,Bo Xu,Guoqi Li

2024-07-29

Abstract:Spiking Neural Networks (SNNs) have received widespread attention due to their unique neuronal dynamics and low-power nature. Previous research empirically shows that SNNs with Poisson coding are more robust than Artificial Neural Networks (ANNs) on small-scale datasets. However, it is still unclear in theory how the adversarial robustness of SNNs is derived, and whether SNNs can still maintain its adversarial robustness advantage on large-scale dataset tasks. This work theoretically demonstrates that SNN's inherent adversarial robustness stems from its Poisson coding. We reveal the conceptual equivalence of Poisson coding and randomized smoothing in defense strategies, and analyze in depth the trade-off between accuracy and adversarial robustness in SNNs via the proposed Randomized Smoothing Coding (RSC) method. Experiments demonstrate that the proposed RSC-SNNs show remarkable adversarial robustness, surpassing ANNs and achieving state-of-the-art robustness results on large-scale dataset ImageNet. Our open-source implementation code is available at this https URL: <a class="link-external link-https" href="https://github.com/KemingWu/RSC-SNN" rel="external noopener nofollow">this https URL</a>.

Computer Vision and Pattern Recognition

Ran Wang,Haopeng Ke,Meng Hu,Wenhui Wu

DOI: https://doi.org/10.1016/j.neunet.2023.12.041

IF: 7.8

2024-04-01

Neural Networks

Abstract:Deep neural networks (DNNs) are vulnerable to the attacks of adversarial examples, which bring serious security risks to the learning systems. In this paper, we propose a new defense method to improve the adversarial robustness of DNNs based on stochastic neural networks (SNNs), termed as Margin-SNN. The proposed Margin-SNN mainly includes two modules, i.e., feature uncertainty learning module and label embedding module. The first module introduces uncertainty to the latent feature space by giving each sample a distributional representation rather than a fixed point representation, and leverages the advantages of variational information bottleneck method in achieving good intra-class compactness in latent space. The second module develops a label embedding mechanism to take advantage of the semantic information underlying the labels, which maps the labels into the same latent space with the features, in order to capture the similarity between sample and its class centroid, where a penalty term is equipped to elegantly enlarge the margin between different classes for better inter-class separability. Since no adversarial information is introduced, the proposed model can be learned in standard training to improve adversarial robustness, which is much more efficient than adversarial training. Extensive experiments on data sets MNIST, FASHION MNIST, CIFAR10, CIFAR100 and SVHN demonstrate superior defensive ability of the proposed method. Our code is available at https://github.com/humeng24/Margin-SNN.

computer science, artificial intelligence,neurosciences

Ziqi Zhu,Bin Zhu,Huan Zhang,Yu Geng,Le Wang,Denghui Zhang,Zhaoquan Gu

DOI: https://doi.org/10.1109/dsc55868.2022.00040

2022-01-01

Abstract:Although deep neural networks (DNNs) show un-precedented performance in various tasks, the vulnerability brought by adversarial samples to the models can incur security concerns, such as causing accidents by automatic driving, or in industrial manufacturing. Due to the discrete nature of textual data and the limitation of real-world access to the model, more and more attacks focus on iterative query attacks under black-box scenarios. The core idea is to query the models frequently to obtain the mapping relations between different input samples and the outputs, which guides the attack’s direction. Once we break down the input-output mapping relations, it will affect the attack’s query and local search process, which enables the defense against such attacks. With this motivation, we add tiny noise to the input samples to break the mapping relationship obtained by black-box attacks and we name the defense method as Gaussian Noise Perturbation Defence (GNPD). We analyze how the noise hinders the attack theoretically and demonstrate the effectiveness of the defense method on two datasets and three language models. The experimental results corroborate our analysis and our method has little impact to the performance of the original model.

Rachel Sterneck,Abhishek Moitra,Priyadarshini Panda

DOI: https://doi.org/10.1109/TCAD.2021.3091436

2021-07-04

Abstract:Neural networks have achieved remarkable performance in computer vision, however they are vulnerable to adversarial examples. Adversarial examples are inputs that have been carefully perturbed to fool classifier networks, while appearing unchanged to humans. Based on prior works on detecting adversaries, we propose a structured methodology of augmenting a deep neural network (DNN) with a detector subnetwork. We use $\textit{Adversarial Noise Sensitivity}$ (ANS), a novel metric for measuring the adversarial gradient contribution of different intermediate layers of a network. Based on the ANS value, we append a detector to the most sensitive layer. In prior works, more complex detectors were added to a DNN, increasing the inference computational cost of the model. In contrast, our structured and strategic addition of a detector to a DNN reduces the complexity of the model while making the overall network adversarially resilient. Through comprehensive white-box and black-box experiments on MNIST, CIFAR-10, and CIFAR-100, we show that our method improves state-of-the-art detector robustness against adversarial examples. Furthermore, we validate the energy efficiency of our proposed adversarial detection methodology through an extensive energy analysis on various hardware scalable CMOS accelerator platforms. We also demonstrate the effects of quantization on our detector-appended networks.

Computer Vision and Pattern Recognition

Xuanqing Liu,Tesi Xiao,Si Si,Qin Cao,Sanjiv Kumar,Cho-Jui Hsieh

DOI: https://doi.org/10.48550/arXiv.1906.02355

IF: 5.414

2019-06-05

Machine Learning

Abstract:Neural Ordinary Differential Equation (Neural ODE) has been proposed as a continuous approximation to the ResNet architecture. Some commonly used regularization mechanisms in discrete neural networks (e.g. dropout, Gaussian noise) are missing in current Neural ODE networks. In this paper, we propose a new continuous neural network framework called Neural Stochastic Differential Equation (Neural SDE) network, which naturally incorporates various commonly used regularization mechanisms based on random noise injection. Our framework can model various types of noise injection frequently used in discrete networks for regularization purpose, such as dropout and additive/multiplicative noise in each block. We provide theoretical analysis explaining the improved robustness of Neural SDE models against input perturbations/adversarial attacks. Furthermore, we demonstrate that the Neural SDE network can achieve better generalization than the Neural ODE and is more resistant to adversarial and non-adversarial input perturbations.