Adv-BNN: Improved Adversarial Defense through Robust Bayesian Neural Network

Liu, Xuanqing; Yao, Li; Wu, Chongruo; Hsieh, Cho‐Jui

doi:10.48550/arxiv.1810.01279

Cited by 33 publications

(54 citation statements)

References 12 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Stochastic defenses. Many methods [7], [8], [9], [16], [17], [18], [19], [20] have been proposed to defend against adversarial attacks by introducing randomness into the classifier. However, they have been broken by a stronger adaptive proxy-gradient-based attack [11], [21], [22].…”

Section: Literature Reviewmentioning

confidence: 99%

“…The Random Self-Ensemble (RSE) approach introduced random noise layers to make the network stochastic and ensembled the prediction over the randomness to achieve stable performance [16]. While RSE introduced randomness by perturbing the inputs of each layer, another approach called Adv-BNN [17] used Bayesian neural network structure embedded with adversarial training [3] to make the weight of the model stochastic. Moreover, He et al [18] proposed a method called Parametric Noise Injection (PNI) injecting learnable noise on the layerwise weight or inputs.…”

Section: Literature Reviewmentioning

confidence: 99%

“…Moreover, He et al [18] proposed a method called Parametric Noise Injection (PNI) injecting learnable noise on the layerwise weight or inputs. However, these approaches [16], [17], [18] still evaluated their robustness against a weak attack rather than the EOT attack. Especially, it has been shown (for the STL10 dataset) that Adv-BNN may not improve robustness against the EOT attack compared to the standard adversarial training [23].…”

Section: Literature Reviewmentioning

confidence: 99%

“…where {g i } n i=1 is a set of sample gradients at the point X and ρ is the sample MRL of the sample gradients. Note that the regularizer R mean in (17) is the average value of the cosine between gradient samples which directly penalizes the lefthand side of (11). We also tested variants of the regularizer (17) (see the supplementary material for the details).…”

Section: Relationship Between the Gradient Distribution And The Proxy...mentioning

confidence: 99%

See 3 more Smart Citations

GradDiv: Adversarial Robustness of Randomized Neural Networks via Gradient Diversity Regularization

Lee¹,

Kim²,

Lee³

2021

Preprint

View full text Add to dashboard Cite

Deep learning is vulnerable to adversarial examples. Many defenses based on randomized neural networks have been proposed to solve the problem, but fail to achieve robustness against attacks using proxy gradients such as the Expectation over Transformation (EOT) attack. We investigate the effect of the adversarial attacks using proxy gradients on randomized neural networks and demonstrate that it highly relies on the directional distribution of the loss gradients of the randomized neural network. We show in particular that proxy gradients are less effective when the gradients are more scattered. To this end, we propose Gradient Diversity (GradDiv) regularizations that minimize the concentration of the gradients to build a robust randomized neural network. Our experiments on MNIST, CIFAR10, and STL10 show that our proposed GradDiv regularizations improve the adversarial robustness of randomized neural networks against a variety of state-of-the-art attack methods. Moreover, our method efficiently reduces the transferability among sample models of randomized neural networks.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Section: Literature Reviewmentioning

confidence: 99%

Section: Literature Reviewmentioning

confidence: 99%

Section: Relationship Between the Gradient Distribution And The Proxy...mentioning

confidence: 99%

See 2 more Smart Citations

GradDiv: Adversarial Robustness of Randomized Neural Networks via Gradient Diversity Regularization

Lee¹,

Kim²,

Lee³

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…The work of [18,19,20,21] investigates the relationship between weight sparsity and the robustness of the models against adversarial attacks. Other provable defenses utilize k-nearest neighbor (KNN) [22,23], and Bayesian deep neural network (BNN) [24]. Ensemble methods [25,26,27] played a big influence in this work.…”

mentioning

confidence: 99%

Resilience from Diversity: Population-based approach to harden models against adversarial attacks

Jasser

Garibay

2021

Preprint

View full text Add to dashboard Cite

Traditional deep learning models exhibit intriguing vulnerabilities that allow an attacker to force them to fail at their task. Notorious attacks such as the Fast Gradient Sign Method (FGSM) and the more powerful Projected Gradient Descent (PGD) generate adversarial examples by adding a magnitude of perturbation to the input's computed gradient, resulting in a deterioration of the effectiveness of the model's classification. This work introduces a model that is resilient to adversarial attacks. Our model leverages a well established principle from biological sciences: population diversity produces resilience against environmental changes. More precisely, our model consists of a population of n diverse submodels, each one of them trained to individually obtain a high accuracy for the task at hand, while forced to maintain meaningful differences in their weight tensors. Each time our model receives a classification query, it selects a submodel from its population at random to answer the query. To introduce and maintain diversity in population of submodels, we introduce the concept of counter linking weights. A Counter-Linked Model (CLM) consists of submodels of the same architecture where a periodic random similarity examination is conducted during the simultaneous training to guarantee diversity while maintaining accuracy. In our testing, CLM robustness got enhanced by around 20% when tested on the MNIST dataset and at least 15% when tested on the CIFAR-10 dataset. When implemented with adversarially trained submodels, this methodology achieves state-of-the-art robustness. On the MNIST dataset with = 0.3, it achieved 94.34% against FGSM and 91% against PGD. On the CIFAR-10 dataset with = 8/255, it achieved 62.97% against FGSM and 59.16% against PGD. Keywords Adversarial attacks • Adversarial defense • DiversityDeep learning models have achieved great success in computer vision applications and have become the preferred tool for solving a variety of problems. In academia, deep learning is heavily used in image generation, classification, and segmentation. Across industries, deep learning excels in self driving cars, healthcare, fraud detection, and many more application domains. However, recent literature [1] has shown that these models have an intriguing property that would render them vulnerable to adversarial attacks. There is a plethora of attacks that can target and harm an already trained deep learning model and force it to misclassify images that looks normal to the human eye. This work focuses on two popular attacks that are a standard in research, the FGSM and PGD attacks. In the FGSM attack, a one-step update along the sign of the gradient of the loss is executed to achieve the most increase in the loss, as shown in equation(1).x = x + • sign(∇ x J(θ, x, y))(1) while in the PGD attack, maximizing the adversarial loss is calculated using smaller steps over several iterations and from a random starting point, shown in equation( 2).x t+1 = x+S (x t + α • sign(∇ x J(θ, x t , y)))(2)

show abstract

Adversarial Ranking Attack and Defense

Zhou

Niu²,

Wang³

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Deep Neural Network classifiers are vulnerable to adversarial attack, where an imperceptible perturbation could result in misclassification. However, the vulnerability of DNN-based image ranking systems remains under-explored. In this paper, we propose two attacks against deep ranking systems, i.e., Candidate Attack and Query Attack, that can raise or lower the rank of chosen candidates by adversarial perturbations. Specifically, the expected ranking order is first represented as a set of inequalities, and then a triplet-like objective function is designed to obtain the optimal perturbation. Conversely, an anti-collapse triplet defense is proposed to improve the ranking model robustness against all proposed attacks, where the model learns to prevent the positive and negative samples being pulled close to each other by adversarial attack. To comprehensively measure the empirical adversarial robustness of a ranking model with our defense, we propose an empirical robustness score, which involves a set of representative attacks against ranking models. Our adversarial ranking attacks and defenses are evaluated on MNIST, Fashion-MNIST, CUB200-2011, CARS196 and Stanford Online Products datasets. Experimental results demonstrate that a typical deep ranking system can be effectively compromised by our attacks. Nevertheless, our defense can significantly improve the ranking system robustness, and simultaneously mitigate a wide range of attacks.

show abstract

Adv-BNN: Improved Adversarial Defense through Robust Bayesian Neural Network

Cited by 33 publications

References 12 publications

GradDiv: Adversarial Robustness of Randomized Neural Networks via Gradient Diversity Regularization

GradDiv: Adversarial Robustness of Randomized Neural Networks via Gradient Diversity Regularization

Resilience from Diversity: Population-based approach to harden models against adversarial attacks

Adversarial Ranking Attack and Defense

Contact Info

Product

Resources

About