Hao Bu,Meng Sun

DOI: https://doi.org/10.1109/IJCNN54540.2023.10191319

2023-01-01

Abstract:Measuring robustness of deep neural networks (DNNs) is an important topic for trustworthy AI. Existing methods for verifying local robustness of DNNs usually face the scalability problem and have difficulties to deal with nonlinear activation functions and complex semantic perturbations. Existing methods for measuring global robustness usually rely on large datasets, so it is difficult for users without a large dataset to compare the global robustness of different networks. In this paper, we propose two algorithms to measure the local and global robustness of DNNs from the lens of statistical model checking. Compared with the local robustness estimation method using the Okamoto bound, our method can provide the same theoretical guarantee using only 48.6%-74.1% of running time. Our global robustness estimation algorithm can provide highquality estimation using only 10 images for CIFAR-10 and 50 images for ImageNet, thus can be used in a wider range of scenarios.

Yizhen Dong,Peixin Zhang,Jingyi Wang,Shuang Liu,Jun Sun,Jianye Hao,Xinyu Wang,Li Wang,Jin Song Dong,Dai Ting

DOI: https://doi.org/10.48550/arxiv.1911.05904

2019-01-01

Abstract:Deep neural networks (DNN) are increasingly applied in safety-critical systems, e.g., for face recognition, autonomous car control and malware detection. It is also shown that DNNs are subject to attacks such as adversarial perturbation and thus must be properly tested. Many coverage criteria for DNN since have been proposed, inspired by the success of code coverage criteria for software programs. The expectation is that if a DNN is a well tested (and retrained) according to such coverage criteria, it is more likely to be robust. In this work, we conduct an empirical study to evaluate the relationship between coverage, robustness and attack/defense metrics for DNN. Our study is the largest to date and systematically done based on 100 DNN models and 25 metrics. One of our findings is that there is limited correlation between coverage and robustness, i.e., improving coverage does not help improve the robustness. Our dataset and implementation have been made available to serve as a benchmark for future studies on testing DNN.

Yizhen Dong,Peixin Zhang,Jingyi Wang,Shuang Liu,Jun Sun,Jianye Hao,Xinyu Wang,Li Wang,Jin Song Dong,Ting Dai

DOI: https://doi.org/10.1109/ICECCS51672.2020.00016

2020-01-01

Abstract:Deep neural networks (DNN) are increasingly applied in safety-critical systems, e.g., for face recognition, autonomous car control and malware detection. It is also shown that DNNs are subject to attacks such as adversarial perturbation and thus must be properly tested. Many coverage criteria for DNN since have been proposed, inspired by the success of code coverage criteria for software programs. The expectation is that if a DNN is well tested (and retrained) according to such coverage criteria, it is more likely to be robust. In this work, we conduct an empirical study to evaluate the relationship between coverage, robustness and attack/defense metrics for DNN. Our study is the largest to date and systematically done based on 100 DNN models and 25 metrics. One of our findings is that there is limited correlation between coverage and robustness, i.e., improving coverage does not help improve the robustness. Our dataset and implementation have been made available to serve as a benchmark for future studies on testing DNN.

Hao Bu,Meng Sun

DOI: https://doi.org/10.1109/ICECCS59891.2023.00016

2023-01-01

Abstract:Since the discovery of adversarial examples, the local robustness of deep neural networks (DNNs) has received much attention. Moreover, researchers find that DNNs are also sensitive to semantic perturbations like fog, contrast and Gaussian noise. Due to the complexity of semantic perturbations, existing works only focus on local robustness towards some specific perturbations such as brightness and rotation. In this paper, we propose a statistics-based method to certify DNN’s local robustness towards general semantic perturbations. First, we give the formal definitions of semantic perturbations and local semantic robustness. Our definitions are general enough to cover almost all perturbations of concern. Then we develop a statistical certification algorithm. Our evaluations on CIFAR-10 and ImageNet show that compared with the state-of-the-art statistical certification algorithm, our method can provide the same theoretical guarantees using only 3.32%-6.55% of running time.

Jie Wang,Jun Ai,Minyan Lu,Haoran Su,Dan Yu,Yutao Zhang,Junda Zhu,Jingyu Liu

2024-04-15

Abstract:In recent years, there has been significant attention given to the robustness assessment of neural networks. Robustness plays a critical role in ensuring reliable operation of artificial intelligence (AI) systems in complex and uncertain environments. Deep learning's robustness problem is particularly significant, highlighted by the discovery of adversarial attacks on image classification models. Researchers have dedicated efforts to evaluate robustness in diverse perturbation conditions for image recognition tasks. Robustness assessment encompasses two main techniques: robustness verification/ certification for deliberate adversarial attacks and robustness testing for random data corruptions. In this survey, we present a detailed examination of both adversarial robustness (AR) and corruption robustness (CR) in neural network assessment. Analyzing current research papers and standards, we provide an extensive overview of robustness assessment in image recognition. Three essential aspects are analyzed: concepts, metrics, and assessment methods. We investigate the perturbation metrics and range representations used to measure the degree of perturbations on images, as well as the robustness metrics specifically for the robustness conditions of classification models. The strengths and limitations of the existing methods are also discussed, and some potential directions for future research are provided.

Computer Vision and Pattern Recognition,Artificial Intelligence,Systems and Control

Mark Huasong Meng,Guangdong Bai,Sin Gee Teo,Zhe Hou,Yan Xiao,Yun Lin,Jin Song Dong

DOI: https://doi.org/10.1109/tdsc.2022.3179131

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Neural networks have been widely applied in security applications such as spam and phishing detection, intrusion prevention, and malware detection. This black-box method, however, often has uncertainty and poor explainability in applications. Furthermore, neural networks themselves are often vulnerable to adversarial attacks. For those reasons, there is a high demand for trustworthy and rigorous methods to verify the robustness of neural network models. Adversarial robustness, which concerns the reliability of a neural network when dealing with maliciously manipulated inputs, is one of the hottest topics in security and machine learning. In this work, we survey existing literature in adversarial robustness verification for neural networks and collect 39 diversified research works across machine learning, security, and software engineering domains. We systematically analyze their approaches, including how robustness is formulated, what verification techniques are used, and the strengths and limitations of each technique. We provide a taxonomy from a formal verification perspective for a comprehensive understanding of this topic. We classify the existing techniques based on property specification, problem reduction, and reasoning strategies. We also demonstrate representative techniques that have been applied in existing studies with a sample model. Finally, we discuss open questions for future research.

Alfred Laugros,Alice Caplier,Matthieu Ospici

DOI: https://doi.org/10.48550/arXiv.1909.02436

2019-10-09

Abstract:Neural Networks have been shown to be sensitive to common perturbations such as blur, Gaussian noise, rotations, etc. They are also vulnerable to some artificial malicious corruptions called adversarial examples. The adversarial examples study has recently become very popular and it sometimes even reduces the term "adversarial robustness" to the term "robustness". Yet, we do not know to what extent the adversarial robustness is related to the global robustness. Similarly, we do not know if a robustness to various common perturbations such as translations or contrast losses for instance, could help with adversarial corruptions. We intend to study the links between the robustnesses of neural networks to both perturbations. With our experiments, we provide one of the first benchmark designed to estimate the robustness of neural networks to common perturbations. We show that increasing the robustness to carefully selected common perturbations, can make neural networks more robust to unseen common perturbations. We also prove that adversarial robustness and robustness to common perturbations are independent. Our results make us believe that neural network robustness should be addressed in a broader sense.

Machine Learning,Computer Vision and Pattern Recognition

You Li,Guannan Zhao,Shuyu Kong,Yunqi He,Hai Zhou

2024-05-31

Abstract:A globally robust deep neural network resists perturbations on all meaningful inputs. Current robustness certification methods emphasize local robustness, struggling to scale and generalize. This paper presents a systematic and efficient method to evaluate and verify global robustness for deep neural networks, leveraging the PAC verification framework for solid guarantees on verification results. We utilize probabilistic programs to characterize meaningful input regions, setting a realistic standard for global robustness. Additionally, we introduce the cumulative robustness curve as a criterion in evaluating global robustness. We design a statistical method that combines multi-level splitting and regression analysis for the estimation, significantly reducing the execution time. Experimental results demonstrate the efficiency and effectiveness of our verification method and its capability to find rare and diversified counterexamples for adversarial training.

Machine Learning,Artificial Intelligence

LIN Dian,PAN Li,YI Ping

DOI: https://doi.org/10.11959/j.issn.2096−109x.2022037

2022-01-01

Abstract:Convolutional neural network is one of the key technologies in the application of image recognition and processing in artificial intelligence.Its wide application makes researches on its robustness more and more important.Previous researches on robustness of neural networks were too sweeping and most of them focused on adversarial robustness, which causes difficulty in further study in the mechanism of neural network robustness.The related researches of neuroscience were introduced and the concept of visual robustness was put forward.By studying the similarity and difference between neural network models and human visual system, the internal mechanism and faults of neural network robustness were revealed.The researches of neural network robustness in recent years were reviewed, and the reasons for the lack of robustness of neural network models were analyzed.The lack of robustness of neural networks is reflected in their sensitivity to small perturbations.The reason is that neural networks tend to learn high-frequency information for calculation and inference, which is difficult for humans to recognize.High-frequency information is easily affected by perturbations, and eventually causes mistakes of models.Previous researches on robustness mostly focused on mathematical properties of models, and were limited in the natural faults of neural networks.Visual robustness extends the traditional concept of robustness.The traditional concept of robustness measures the discrimination ability of models for distorted image examples.Distorted examples and clean examples can get correct outputs through robust models.Visual robustness measures the consistency between models and humans in discrimination ability.Visual robustness combines the research methods and achievements of neuroscience and psychology with artificial intelligence.The development of neuroscience in the field of vision were reviewed, and the application of research methods of cognitive psychology in neural network robustness were discussed.Human visual system has advantages in learning and abstract ability, whill neural network models have better performance in calculation speed and memory.The difference between the physiological structure of human brain and the logical structure of neural network models is the key factor leading to the problem of robustness of neural networks.The research of visual robustness requires deeper understanding of human visual system.Revealing the differences in cognitive mechanism between human visual system and neural network models and effectively improving the algorithm are the development trends of neural network robustness and even artificial intelligence.

Sun Weidi,Lu Yuteng,Zhang Xiyue,Zhu Zhanxing,Sun Meng

2020-01-01

Abstract: The wide deployment of deep neural networks, though achieving great success in many domains, has severe safety and reliability concerns. Existing adversarial attack generation and automatic verification techniques cannot formally verify whether a network is globally robust, i.e., the absence or not of adversarial examples in the input space. To address this problem, we develop a global robustness verification framework with three components: 1) a novel rule-based ``back-propagation'' finding which input region is responsible for the class assignment by logic reasoning; 2) a new network architecture Sliding Door Network (SDN) enabling feasible rule-based ``back-propagation''; 3) a region-based global robustness verification (RGRV) approach. Moreover, we demonstrate the effectiveness of our approach on both synthetic and real datasets.

Hai Shu,Hongtu Zhu

DOI: https://doi.org/10.1609/aaai.v33i01.33014943

2019-07-17

Proceedings of the AAAI Conference on Artificial Intelligence

Abstract:Deep neural networks (DNNs) have achieved superior performance in various prediction tasks, but can be very vulnerable to adversarial examples or perturbations. Therefore, it is crucial to measure the sensitivity of DNNs to various forms of perturbations in real applications. We introduce a novel perturbation manifold and its associated influence measure to quantify the effects of various perturbations on DNN classifiers. Such perturbations include various external and internal perturbations to input samples and network parameters. The proposed measure is motivated by information geometry and provides desirable invariance properties. We demonstrate that our influence measure is useful for four model building tasks: detecting potential ‘outliers’, analyzing the sensitivity of model architectures, comparing network sensitivity between training and test sets, and locating vulnerable areas. Experiments show reasonably good performance of the proposed measure for the popular DNN models ResNet50 and DenseNet121 on CIFAR10 and MNIST datasets.

Antonios Alexos,Konstantinos P. Panousis,Sotirios Chatzis

DOI: https://doi.org/10.48550/arXiv.2006.10620

2020-06-18

Abstract:This work attempts to address adversarial robustness of deep networks by means of novel learning arguments. Specifically, inspired from results in neuroscience, we propose a local competition principle as a means of adversarially-robust deep learning. We argue that novel local winner-takes-all (LWTA) nonlinearities, combined with posterior sampling schemes, can greatly improve the adversarial robustness of traditional deep networks against difficult adversarial attack schemes. We combine these LWTA arguments with tools from the field of Bayesian non-parametrics, specifically the stick-breaking construction of the Indian Buffet Process, to flexibly account for the inherent uncertainty in data-driven modeling. As we experimentally show, the new proposed model achieves high robustness to adversarial perturbations on MNIST and CIFAR10 datasets. Our model achieves state-of-the-art results in powerful white-box attacks, while at the same time retaining its benign accuracy to a high degree. Equally importantly, our approach achieves this result while requiring far less trainable model parameters than the existing state-of-the-art.

Machine Learning

Adam Dziedzic,Sanjay Krishnan

DOI: https://doi.org/10.48550/arXiv.2002.03080

2020-06-08

Abstract:Recent work has extensively shown that randomized perturbations of neural networks can improve robustness to adversarial attacks. The literature is, however, lacking a detailed compare-and-contrast of the latest proposals to understand what classes of perturbations work, when they work, and why they work. We contribute a detailed evaluation that elucidates these questions and benchmarks perturbation based defenses consistently. In particular, we show five main results: (1) all input perturbation defenses, whether random or deterministic, are equivalent in their efficacy, (2) attacks transfer between perturbation defenses so the attackers need not know the specific type of defense -- only that it involves perturbations, (3) a tuned sequence of noise layers across a network provides the best empirical robustness, (4) perturbation based defenses offer almost no robustness to adaptive attacks unless these perturbations are observed during training, and (5) adversarial examples in a close neighborhood of original inputs show an elevated sensitivity to perturbations in first and second-order analyses.

Machine Learning,Cryptography and Security,Computer Vision and Pattern Recognition

Jiangchao Liu,Liqian Chen,Antoine Mine,Ji Wang

2024-02-13

Abstract:Local robustness verification can verify that a neural network is robust wrt. any perturbation to a specific input within a certain distance. We call this distance Robustness Radius. We observe that the robustness radii of correctly classified inputs are much larger than that of misclassified inputs which include adversarial examples, especially those from strong adversarial attacks. Another observation is that the robustness radii of correctly classified inputs often follow a normal distribution. Based on these two observations, we propose to validate inputs for neural networks via runtime local robustness verification. Experiments show that our approach can protect neural networks from adversarial examples and improve their accuracies.

Machine Learning

Linyi Li,Tao Xie,Bo Li

DOI: https://doi.org/10.1109/SP46215.2023.10179303

2023-01-01

Abstract: Great advances in deep neural networks (DNNs) have led to state-of-the-art performance on a wide range of tasks. However, recent studies have shown that DNNs are vulnerable to adversarial attacks, which have brought great concerns when deploying these models to safety-critical applications such as autonomous driving. Different defense approaches have been proposed against adversarial attacks, including: a) empirical defenses, which can usually be adaptively attacked again without providing robustness certification; and b) certifiably robust approaches, which consist of robustness verification providing the lower bound of robust accuracy against any attacks under certain conditions and corresponding robust training approaches. In this paper, we systematize certifiably robust approaches and related practical and theoretical implications and findings. We also provide the first comprehensive benchmark on existing robustness verification and training approaches on different datasets. In particular, we 1) provide a taxonomy for the robustness verification and training approaches, as well as summarize the methodologies for representative algorithms, 2) reveal the characteristics, strengths, limitations, and fundamental connections among these approaches, 3) discuss current research progresses, theoretical barriers, main challenges, and future directions for certifiably robust approaches for DNNs, and 4) provide an open-sourced unified platform to evaluate 20+ representative certifiably robust approaches.

Fuxun Yu,Zhuwei Qin,Chenchen Liu,Liang Zhao,Yanzhi Wang,Xiang Chen

DOI: https://doi.org/10.48550/arXiv.1905.04270

2019-05-11

Abstract:Recently, adversarial deception becomes one of the most considerable threats to deep neural networks. However, compared to extensive research in new designs of various adversarial attacks and defenses, the neural networks' intrinsic robustness property is still lack of thorough investigation. This work aims to qualitatively interpret the adversarial attack and defense mechanism through loss visualization, and establish a quantitative metric to evaluate the neural network model's intrinsic robustness. The proposed robustness metric identifies the upper bound of a model's prediction divergence in the given domain and thus indicates whether the model can maintain a stable prediction. With extensive experiments, our metric demonstrates several advantages over conventional adversarial testing accuracy based robustness estimation: (1) it provides a uniformed evaluation to models with different structures and parameter scales; (2) it over-performs conventional accuracy based robustness estimation and provides a more reliable evaluation that is invariant to different test settings; (3) it can be fast generated without considerable testing cost.

Machine Learning,Computer Vision and Pattern Recognition

Yinpeng Dong,Qi-An Fu,Xiao Yang,Tianyu Pang,Hang Su,Zihao Xiao,Jun Zhu

DOI: https://doi.org/10.1109/CVPR42600.2020.00040

2020-01-01

Abstract:Deep neural networks are vulnerable to adversarial examples, which becomes one of the most important research problems in the development of deep learning. While a lot of efforts have been made in recent years, it is of great significance to perform correct and complete evaluations of the adversarial attack and defense algorithms. In this paper, we establish a comprehensive, rigorous, and coherent benchmark to evaluate adversarial robustness on image classification tasks. After briefly reviewing plenty of representative attack and defense methods, we perform large-scale experiments with two robustness curves as the fair-minded evaluation criteria to fully understand the performance of these methods. Based on the evaluation results, we draw several important findings that can provide insights for future research, including: 1) The relative robustness between models can change across different attack configurations, thus it is encouraged to adopt the robustness curves to evaluate adversarial robustness; 2) As one of the most effective defense techniques, adversarial training can generalize across different threat models; 3) Randomization-based defenses are more robust to query-based black-box attacks.

Mengchen Liu,Shixia Liu,Hang Su,Kelei Cao,Jun Zhu

DOI: https://doi.org/10.1109/tvcg.2020.2969185

IF: 5.2

2020-01-01

IEEE Transactions on Visualization and Computer Graphics

Abstract:Adversarial examples, generated by adding small but intentionally imperceptible perturbations to normal examples, can mislead deep neural networks (DNNs) to make incorrect predictions. Although much work has been done on both adversarial attack and defense, a fine-grained understanding of adversarial examples is still lacking. To address this issue, we present a visual analysis method to explain why adversarial examples are misclassified. The key is to compare and analyze the datapaths of both the adversarial and normal examples. A datapath is a group of critical neurons along with their connections. We formulate the datapath extraction as a subset selection problem and solve it by constructing and training a neural network. A multi-level visualization consisting of a network-level visualization of data flows, a layer-level visualization of feature maps, and a neuron-level visualization of learned features, has been designed to help investigate how datapaths of adversarial and normal examples diverge and merge in the prediction process. A quantitative evaluation and a case study were conducted to demonstrate the promise of our method to explain the misclassification of adversarial examples.

Roman Garaev,Bader Rasheed,Adil Khan

DOI: https://doi.org/10.48550/arXiv.2308.06467

2023-08-12

Abstract:Deep neural networks (DNNs) have gained prominence in various applications, such as classification, recognition, and prediction, prompting increased scrutiny of their properties. A fundamental attribute of traditional DNNs is their vulnerability to modifications in input data, which has resulted in the investigation of adversarial attacks. These attacks manipulate the data in order to mislead a DNN. This study aims to challenge the efficacy and generalization of contemporary defense mechanisms against adversarial attacks. Specifically, we explore the hypothesis proposed by Ilyas et. al, which posits that DNN image features can be either robust or non-robust, with adversarial attacks targeting the latter. This hypothesis suggests that training a DNN on a dataset consisting solely of robust features should produce a model resistant to adversarial attacks. However, our experiments demonstrate that this is not universally true. To gain further insights into our findings, we analyze the impact of adversarial attack norms on DNN representations, focusing on samples subjected to $L_2$ and $L_{\infty}$ norm attacks. Further, we employ canonical correlation analysis, visualize the representations, and calculate the mean distance between these representations and various DNN decision boundaries. Our results reveal a significant difference between $L_2$ and $L_{\infty}$ norms, which could provide insights into the potential dangers posed by $L_{\infty}$ norm attacks, previously underestimated by the research community.

Machine Learning,Artificial Intelligence

Ravi Mangal,Aditya V. Nori,Alessandro Orso

DOI: https://doi.org/10.48550/arXiv.1902.05983

2019-02-16

Abstract:Neural networks are becoming increasingly prevalent in software, and it is therefore important to be able to verify their behavior. Because verifying the correctness of neural networks is extremely challenging, it is common to focus on the verification of other properties of these systems. One important property, in particular, is robustness. Most existing definitions of robustness, however, focus on the worst-case scenario where the inputs are adversarial. Such notions of robustness are too strong, and unlikely to be satisfied by-and verifiable for-practical neural networks. Observing that real-world inputs to neural networks are drawn from non-adversarial probability distributions, we propose a novel notion of robustness: probabilistic robustness, which requires the neural network to be robust with at least $(1 - \epsilon)$ probability with respect to the input distribution. This probabilistic approach is practical and provides a principled way of estimating the robustness of a neural network. We also present an algorithm, based on abstract interpretation and importance sampling, for checking whether a neural network is probabilistically robust. Our algorithm uses abstract interpretation to approximate the behavior of a neural network and compute an overapproximation of the input regions that violate robustness. It then uses importance sampling to counter the effect of such overapproximation and compute an accurate estimate of the probability that the neural network violates the robustness property.

Machine Learning,Programming Languages,Software Engineering