Certified Robustness to Adversarial Examples with Differential Privacy

Lécuyer, Mathias; Atlidakis, Vaggelis; Geambasu, Roxana; Hsu, Daniel; Jana, Suman

doi:10.48550/arxiv.1802.03471

Cited by 31 publications

(101 citation statements)

References 0 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…There is another line of research that focuses on improving robustness to perturbations/adversarial attacks by noise injection. Among them, random self-ensemble [6,7] adds Gaussian noise to hidden states during both training and testing time. In training time, it works as a regularizer to prevent overfitting; in testing time, the random noise is also helpful, which will be explained in this paper.…”

Section: Related Workmentioning

confidence: 99%

“…It has been shown that injecting small Gaussian noise can be viewed as a regularization in neural networks [4,5]. Furthermore, [6,7] recently showed that adding a slightly larger noise in one or all residual blocks can improve the adversarial robustness of neural networks. We will provide the stability analysis of (3) in Section 3.3, which provides a theoretical explanation towards the robustness of Neural SDE.…”

Section: Modeling Randomness In Neural Networkmentioning

confidence: 99%

“…Many of these regularization techniques are based on stochastic noise injection. For instance, dropout [3] is widely adopted to prevent overfitting; injecting Gaussian random noise during the forward propagation is effective in improving generalization [4,5] as well as robustness to adversarial attacks [6,7]. However, these regularization methods in discrete neural networks are not directly applicable to Neural ODE network, because Neural ODE network is a deterministic system.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Neural SDE: Stabilizing Neural ODE Networks with Stochastic Noise

Liu,

Xiao,

et al. 2019

Preprint

View full text Add to dashboard Cite

Neural Ordinary Differential Equation (Neural ODE) has been proposed as a continuous approximation to the ResNet architecture. Some commonly used regularization mechanisms in discrete neural networks (e.g. dropout, Gaussian noise) are missing in current Neural ODE networks. In this paper, we propose a new continuous neural network framework called Neural Stochastic Differential Equation (Neural SDE) network, which naturally incorporates various commonly used regularization mechanisms based on random noise injection. Our framework can model various types of noise injection frequently used in discrete networks for regularization purpose, such as dropout and additive/multiplicative noise in each block. We provide theoretical analysis explaining the improved robustness of Neural SDE models against input perturbations/adversarial attacks. Furthermore, we demonstrate that the Neural SDE network can achieve better generalization than the Neural ODE and is more resistant to adversarial and non-adversarial input perturbations.

show abstract

Section: Related Workmentioning

confidence: 99%

Section: Modeling Randomness In Neural Networkmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Neural SDE: Stabilizing Neural ODE Networks with Stochastic Noise

Liu,

Xiao,

et al. 2019

Preprint

View full text Add to dashboard Cite

show abstract

“…While our framework does not cover this SDP relaxation, it is not clear to us how to extend the SDP relaxed verifier to general nonlinearities, for example max-pooling, which can be done in our framework on the other hand. Other verifiers have been proposed to certify via an intermediary step of bounding the local Lipschitz constant [Hein and Andriushchenko, 2017, Weng et al, 2018, Raghunathan et al, 2018a, Zhang et al, 2019, and others have used randomized smoothing to certify with high-probability [Lecuyer et al, 2018, Li et al, 2018, Cohen et al, 2019, Salman et al, 2019. These are outside the scope of our framework.…”

Section: Preliminaries and Related Workmentioning

confidence: 99%

A Convex Relaxation Barrier to Tight Robustness Verification of Neural Networks

Salman,

Yang,

Zhang

et al. 2019

Preprint

View full text Add to dashboard Cite

Verification of neural networks enables us to gauge their robustness against adversarial attacks. Verification algorithms fall into two categories: exact verifiers that run in exponential time and relaxed verifiers that are efficient but incomplete. In this paper, we unify all existing LP-relaxed verifiers, to the best of our knowledge, under a general convex relaxation framework. This framework works for neural networks with diverse architectures and nonlinearities and covers both primal and dual views of neural network verification. Next, we perform large-scale experiments, amounting to more than 22 CPU-years, to obtain exact solution to the convex-relaxed problem that is optimal within our framework for ReLU networks. We find the exact solution does not significantly improve upon the gap between PGD and existing relaxed verifiers for various networks trained normally or robustly on MNIST and CIFAR datasets. Our results suggest there is an inherent barrier to tight verification for the large class of methods captured by our framework. We discuss possible causes of this barrier and potential future directions for bypassing it. Our code and trained models are available at http://github.com/Hadisalman/robust-verify-benchmark.

show abstract

“…A similar approach to [22] is [28] in which the authors use robust optimization to provide lower bounds on the norm of adversarial perturbations on the training data. In [16], the authors use techniques from Differential Privacy [7] in order to augment the training procedure of the classifier to improve robustness to adversarial inputs. Another approach using randomization is [17] in which the authors add i.i.d.…”

Section: Comparison To Related Workmentioning

confidence: 99%

Recovery Guarantees for Compressible Signals with Adversarial Noise

Dhaliwal¹,

Hambrook²

2019

Preprint

View full text Add to dashboard Cite

We provide recovery guarantees for compressible signals that have been corrupted with noise and extend the framework introduced in [1] to defend neural networks against 0 -norm, 2 -norm, and ∞ -norm attacks. Our results are general as they can be applied to most unitary transforms used in practice and hold for 0 -norm, 2 -norm, and ∞ -norm bounded noise. In the case of 0 -norm noise, we prove recovery guarantees for Iterative Hard Thresholding (IHT) and Basis Pursuit (BP). For 2norm bounded noise, we provide recovery guarantees for BP and for the case of ∞ -norm bounded noise, we provide recovery guarantees for Dantzig Selector (DS). These guarantees theoretically bolster the defense framework introduced in [1] for defending neural networks against adversarial inputs. Finally, we experimentally demonstrate the effectiveness of this defense framework against an array of 0 , 2 and ∞ norm attacks.

show abstract

Certified Robustness to Adversarial Examples with Differential Privacy

Cited by 31 publications

References 0 publications

Neural SDE: Stabilizing Neural ODE Networks with Stochastic Noise

Neural SDE: Stabilizing Neural ODE Networks with Stochastic Noise

A Convex Relaxation Barrier to Tight Robustness Verification of Neural Networks

Recovery Guarantees for Compressible Signals with Adversarial Noise

Contact Info

Product

Resources

About