Certified Defenses against Adversarial Examples

Raghunathan, Aditi; Steinhardt, Jacob; Liang, Percy

doi:10.48550/arxiv.1801.09344

Cited by 146 publications

(182 citation statements)

References 34 publications

Supporting

Mentioning

177

Contrasting

Order By: Relevance

“…Along with a prediction on the test point, these defenses output a certified radius r such that for any ||δ|| 2 < r, the model continues to have the same prediction. Such techniques include convex polytope [52], recursive propagation [16], and linear relaxation [42,59]. These methods provide a lower bound on the perturbation required to change the model's prediction on a target point.…”

Section: Related Workmentioning

confidence: 99%

“…Unfortunately, a large body of work in this direction has fallen into the cycle where new empirical defense techniques are proposed, followed by new adaptive attacks breaking these defenses [2,50]. Therefore, significant efforts have been dedicated to developing methods that are certifiably robust [16,42,52] which provide provable robustness guarantees. Most promising among these certified defenses are randomized smoothing (RS) based certified defenses [8,31,32] which are scalable to deep neural networks (DNNs) and high-dimensional datasets.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Certified Adversarial Defenses Meet Out-of-Distribution Corruptions: Benchmarking Robustness and Simple Baselines

Sun

Mehra

Kailkhura

et al. 2021

Preprint

View full text Add to dashboard Cite

Certified robustness guarantee gauges a model's robustness to test-time attacks and can assess the model's readiness for deployment in the real world. In this work, we critically examine how the adversarial robustness guarantees from randomized smoothing-based certification methods change when state-of-the-art certifiably robust models encounter out-of-distribution (OOD) data. Our analysis demonstrates a previously unknown vulnerability of these models to low-frequency OOD data such as weather-related corruptions, rendering these models unfit for deployment in the wild. To alleviate this issue, we propose a novel data augmentation scheme, FourierMix, that produces augmentations to improve the spectral coverage of the training data. Furthermore, we propose a new regularizer that encourages consistent predictions on noise perturbations of the augmented data to improve the quality of the smoothed models. We find that FourierMix augmentations help eliminate the spectral bias of certifiably robust models enabling them to achieve significantly better robustness guarantees on a range of OOD benchmarks. Our evaluation also uncovers the inability of current OOD benchmarks at highlighting the spectral biases of the models. To this end, we propose a comprehensive benchmarking suite that contains corruptions from different regions in the spectral domain. Evaluation of models trained with popular augmentation methods on the proposed suite highlights their spectral biases and establishes the superiority of FourierMix trained models at achieving better-certified robustness guarantees under OOD shifts over the entire frequency spectrum. 1 † Work partially done during internship at Lawrence Livermore National Laboratory (LLNL).1 Pre-print under review. Codes and benchmark datasets will be opensourced upon paper acceptance.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Certified Adversarial Defenses Meet Out-of-Distribution Corruptions: Benchmarking Robustness and Simple Baselines

Sun

Mehra

Kailkhura

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…for instance, find an upper bound for the adversarial loss by considering the polytope generated by adversarial examples with bounded norm and minimizing the loss over a convex polytope that contains it. An upper bound on the adversarial loss is also computed in Raghunathan et al (2018a) by solving instead a semidefinite program. Other more scalable and effective methods based on minimizing an upper bound of the adversarial loss have been introduced Balunovic and Vechev, 2019;Dvijotham et al, 2018a;Zhang et al, 2019).…”

Section: Introductionmentioning

confidence: 99%

“…Since the direction of the gradient is then not precise, the optimization process may be problematic. Even though a couple of these approaches do provide an upper bound with closed form solution (Raghunathan et al, 2018a;, they only work for specific cases (Raghunathan et al (2018a) only works for neural networks with two layers, and the upper bound in is often loose and it only applies when the perturbations are in the L ∞ norm-bounded ball). Given this state of affairs, we believe we need a new, principled approach to optimize an upper bound of the adversarial loss.…”

Section: Introductionmentioning

confidence: 99%

A Robust Optimization Approach to Deep Learning

Bertsimas¹,

Boix²,

Carballo³

et al. 2021

Preprint

View full text Add to dashboard Cite

Many state-of-the-art adversarial training methods leverage upper bounds of the adversarial loss to provide security guarantees. Yet, these methods require computations at each training step that can not be incorporated in the gradient for backpropagation. We introduce a new, more principled approach to adversarial training based on a closed form solution of an upper bound of the adversarial loss, which can be effectively trained with backpropagation. This bound is facilitated by state-ofthe-art tools from robust optimization. We derive two new methods with our approach. The first method (Approximated Robust Upper Bound or aRUB) uses the first order approximation of the network as well as basic tools from linear robust optimization to obtain an approximate upper bound of the adversarial loss that can be easily implemented. The second method (Robust Upper Bound or RUB), computes an exact upper bound of the adversarial loss. Across a variety of tabular and vision data sets we demonstrate the effectiveness of our more principled approach -RUB is substantially more robust than state-of-the-art methods for larger perturbations, while aRUB matches the performance of state-of-the-art methods for small perturbations. Also, both RUB and aRUB run faster than standard adversarial training (at the expense of an increase in memory). All the code to reproduce the results can be found at https://github.com/kimvc7/Robustness.

show abstract

“…Provable defenses which are theoretically proven to counter adversarial attacks with a certain accuracy, depending on the attack class. Semidefinite programming-based defenses [15,16] outputs an optimizable certificate that encourages robustness against all attacks. The defense proposed in [17], considers a convex outer approximation that covers all the perturbations that can possibly be generated from that space and minimizes the worst-case loss over this region through linear programming.…”

mentioning

confidence: 99%

Resilience from Diversity: Population-based approach to harden models against adversarial attacks

Jasser

Garibay

2021

Preprint

View full text Add to dashboard Cite

Traditional deep learning models exhibit intriguing vulnerabilities that allow an attacker to force them to fail at their task. Notorious attacks such as the Fast Gradient Sign Method (FGSM) and the more powerful Projected Gradient Descent (PGD) generate adversarial examples by adding a magnitude of perturbation to the input's computed gradient, resulting in a deterioration of the effectiveness of the model's classification. This work introduces a model that is resilient to adversarial attacks. Our model leverages a well established principle from biological sciences: population diversity produces resilience against environmental changes. More precisely, our model consists of a population of n diverse submodels, each one of them trained to individually obtain a high accuracy for the task at hand, while forced to maintain meaningful differences in their weight tensors. Each time our model receives a classification query, it selects a submodel from its population at random to answer the query. To introduce and maintain diversity in population of submodels, we introduce the concept of counter linking weights. A Counter-Linked Model (CLM) consists of submodels of the same architecture where a periodic random similarity examination is conducted during the simultaneous training to guarantee diversity while maintaining accuracy. In our testing, CLM robustness got enhanced by around 20% when tested on the MNIST dataset and at least 15% when tested on the CIFAR-10 dataset. When implemented with adversarially trained submodels, this methodology achieves state-of-the-art robustness. On the MNIST dataset with = 0.3, it achieved 94.34% against FGSM and 91% against PGD. On the CIFAR-10 dataset with = 8/255, it achieved 62.97% against FGSM and 59.16% against PGD. Keywords Adversarial attacks • Adversarial defense • DiversityDeep learning models have achieved great success in computer vision applications and have become the preferred tool for solving a variety of problems. In academia, deep learning is heavily used in image generation, classification, and segmentation. Across industries, deep learning excels in self driving cars, healthcare, fraud detection, and many more application domains. However, recent literature [1] has shown that these models have an intriguing property that would render them vulnerable to adversarial attacks. There is a plethora of attacks that can target and harm an already trained deep learning model and force it to misclassify images that looks normal to the human eye. This work focuses on two popular attacks that are a standard in research, the FGSM and PGD attacks. In the FGSM attack, a one-step update along the sign of the gradient of the loss is executed to achieve the most increase in the loss, as shown in equation(1).x = x + • sign(∇ x J(θ, x, y))(1) while in the PGD attack, maximizing the adversarial loss is calculated using smaller steps over several iterations and from a random starting point, shown in equation( 2).x t+1 = x+S (x t + α • sign(∇ x J(θ, x t , y)))(2)

show abstract

Certified Defenses against Adversarial Examples

Cited by 146 publications

References 34 publications

Certified Adversarial Defenses Meet Out-of-Distribution Corruptions: Benchmarking Robustness and Simple Baselines

Certified Adversarial Defenses Meet Out-of-Distribution Corruptions: Benchmarking Robustness and Simple Baselines

A Robust Optimization Approach to Deep Learning

Resilience from Diversity: Population-based approach to harden models against adversarial attacks

Contact Info

Product

Resources

About