Certifiably-Robust Federated Adversarial Learning via Randomized Smoothing

Chen, Cheng; Kailkhura, Bhavya; Goldhahn, Ryan; Zhou, Yi

doi:10.1109/mass52906.2021.00032

Cited by 9 publications

(11 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In particular, the works of Zizzo et al [14] and Shah et al [45] studied the incorporation of adversarial training [23], arguably the most effective empirical defense against adversarial attacks, into the FL setup. Closest to our study, is the recent work of Chen et al [31] that explored certification via RS in FL. In contrast to [31], instead of pixel-level perturbations, we study realistic (e.g.…”

Section: Related Workmentioning

confidence: 91%

“…Closest to our study, is the recent work of Chen et al [31] that explored certification via RS in FL. In contrast to [31], instead of pixel-level perturbations, we study realistic (e.g. rotation and translation) perturbations.…”

Section: Related Workmentioning

confidence: 91%

“…Notably, RS has been successfully combined with adversarial training [27], regularization [28], and parameter optimization [29,30] for improved robustness. The original RS formulation certified models against pixel-level additive perturbations, and was studied in the federated learning setup by Chen et al [31]. Recently, DeformRS [9] reformulated RS to consider parameterized deformations, granting robustness certificates against more general and semantic perturbations, such as rotation and translation.…”

Section: Related Workmentioning

confidence: 99%

See 2 more Smart Citations

Certified Robustness in Federated Learning

Alfarra¹,

Pérez²,

Shulgin³

et al. 2022

Preprint

View full text Add to dashboard Cite

Federated learning has recently gained significant attention and popularity due to its effectiveness in training machine learning models on distributed data privately. However, as in the single-node supervised learning setup, models trained in federated learning suffer from vulnerability to imperceptible input transformations known as adversarial attacks, questioning their deployment in security-related applications. In this work, we study the interplay between federated training, personalization, and certified robustness. In particular, we deploy randomized smoothing, a widely-used and scalable certification method, to certify deep networks trained on a federated setup against input perturbations and transformations. We find that the simple federated averaging technique is effective in building not only more accurate, but also more certifiably-robust models, compared to training solely on local data. We further analyze personalization, a popular technique in federated training that increases the model's bias towards local data, on robustness. We show several advantages of personalization over both (that is, only training on local data and federated training) in building more robust models with faster training. Finally, we explore the robustness of mixtures of global and local (i.e. personalized) models, and find that the robustness of local models degrades as they diverge from the global model 1 .

show abstract

Section: Related Workmentioning

confidence: 91%

Section: Related Workmentioning

confidence: 91%

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Certified Robustness in Federated Learning

Alfarra¹,

Pérez²,

Shulgin³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Inspired by the idea that trigger regions contribute the most to prediction, Doan et al [60] proposed the use of GANs to process parts of images that may have triggers, and they designed a two-stage image preprocessing method (i.e., Februs). In the first stage, February uses GradCAM [61] to identify regions of influence, generating heatmaps to illustrate important regions in the input that contribute significantly to the learned features. In the second stage, a GAN-based inpainting method is employed to reconstruct the masked regions.Based on this idea, Udeshi et al [62] also designed a square trigger interceptor using the dominant color in the image to locate and remove backdoor triggers.…”

Section: A Dataset-based Defense Strategiesmentioning

confidence: 99%

Backdoor Attacks to Deep Learning Models and Countermeasures: A Survey

Zhang

Wei-ping

et al. 2023

IEEE Open J. Comput. Soc.

View full text Add to dashboard Cite

Backdoor attacks have severely threatened deep neural network (DNN) models in the past several years. In backdoor attacks, the attackers try to plant hidden backdoors into DNN models, either in the training or inference stage, to mislead the output of the model when the input contains some specified triggers without affecting the prediction of normal inputs not containing the triggers. As a rapidly developing topic, numerous works on designing various backdoor attacks and developing techniques to defend against such attacks have been proposed in recent years. However, a comprehensive and holistic overview of backdoor attacks and countermeasures is still missing. In this paper, we provide a systematic overview of the design of backdoor attacks and the defense strategies to defend against backdoor attacks, covering the latest published works. We review representative backdoor attacks and defense strategies in both the computer vision domain and other domains, discuss their pros and cons, and make comparisons among them. We outline key challenges to be addressed and potential research directions in the future.

show abstract

“…In addition to adversarial training, we conducted experiments on robust models obtained through randomized smoothing [81], which is widely recognized as one of the leading techniques for achieving certified robustness. When attacking such a defensive model with a ResNet-50 architecture, we observe a substantial improvement compared to [1] (26.76%→85.04%).…”

Section: Attacking Defensive Modelsmentioning

confidence: 99%

The Evolution and Approaches of Information Analysis Service of University Libraries in China

Hong

Chen

Guo

2020

Science & Technology Libraries

View full text Add to dashboard Cite

In recent years, we have witnessed the great advancement of Deep neural networks (DNNs) in image restoration. However, a critical limitation is that they cannot generalize well to real-world degradations with different degrees or types. In this paper, we are the first to propose a novel training strategy for image restoration from the causality perspective, to improve the generalization ability of DNNs for unknown degradations. Our method, termed Distortion Invariant representation Learning (DIL), treats each distortion type and degree as one specific confounder, and learns the distortion-invariant representation by eliminating the harmful confounding effect of each degradation. We derive our DIL with the back-door criterion in causality by modeling the interventions of different distortions from the optimization perspective. Particularly, we introduce the counterfactual distortion augmentation to simulate the virtual distortion types and degrees as the confounders. Then, we instantiate the intervention of each distortion with a virtually model updating based on corresponding distorted images, and eliminate them from the meta-learning perspective. Extensive experiments demonstrate the effectiveness of our DIL on the generalization capability on unseen distortion types and degrees. Our code will be available at https://github.com/lixinustc/causal-IR-DIL.

show abstract

Certifiably-Robust Federated Adversarial Learning via Randomized Smoothing

Cited by 9 publications

References 5 publications

Certified Robustness in Federated Learning

Certified Robustness in Federated Learning

Backdoor Attacks to Deep Learning Models and Countermeasures: A Survey

The Evolution and Approaches of Information Analysis Service of University Libraries in China

Contact Info

Product

Resources

About