Enhancing Adversarial Robustness via Test-time Transformation Ensembling

Pérez, Juan C.; Alfarra, Motasem; Jeanneret, Guillaume; Rueda, Laura; Thabet, Ali; Ghanem, Bernard; Arbeláez, Pablo

doi:10.1109/iccvw54120.2021.00015

Cited by 11 publications

(3 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While several approaches were proposed, such as regularization (Cisse et al 2017) and distillation (Papernot et al 2016b), Adversarial Training (AT) (Madry et al 2018) remains among the most effective. Moreover, recent works showed that AT can be enhanced by combining it with pretraining (Hendrycks, Lee, and Mazeika 2019), exploiting unlabeled data (Carmon et al 2019), or concurrently, conducting transformations at test time (Pérez et al 2021). Further improvements were obtained by introducing regularizers, such as TRADES and MART (Wang et al 2019), or combining AT with network pruning, as in HYDRA (Sehwag et al 2020), or weight perturbations (Wu, Xia, and Wang 2020).…”

Section: Related Workmentioning

confidence: 99%

Combating Adversaries with Anti-adversaries

Alfarra

Pérez

Thabet

et al. 2022

AAAI

Self Cite

View full text Add to dashboard Cite

Deep neural networks are vulnerable to small input perturbations known as adversarial attacks. Inspired by the fact that these adversaries are constructed by iteratively minimizing the confidence of a network for the true class label, we propose the anti-adversary layer, aimed at countering this effect. In particular, our layer generates an input perturbation in the opposite direction of the adversarial one and feeds the classifier a perturbed version of the input. Our approach is training-free and theoretically supported. We verify the effectiveness of our approach by combining our layer with both nominally and robustly trained models and conduct large-scale experiments from black-box to adaptive attacks on CIFAR10, CIFAR100, and ImageNet. Our layer significantly enhances model robustness while coming at no cost on clean accuracy.

show abstract

Section: Related Workmentioning

confidence: 99%

Combating Adversaries with Anti-adversaries

Alfarra

Pérez

Thabet

et al. 2022

AAAI

Self Cite

View full text Add to dashboard Cite

show abstract

“…They indicate that their scheme outperforms current attacks by lowering the performance of various CV tasks by a huge margin with only the latest perturbations. Perez et al 111 presented a comprehensive experimental study of test time transformation ensembling (TTE), in they have used image transforms and improved the adversarial robustness. They show that TTE continuously improves model robustness against a different powerful attack, excluding retraining.…”

Section: Al Techniques For Security and Privacy Preservationmentioning

confidence: 99%

Adversarial learning techniques for security and privacy preservation: A comprehensive review

Hathaliya

Tanwar

Sharma

2022

Security and Privacy

View full text Add to dashboard Cite

In recent years, the use of smart devices has increased exponentially, resulting in massive amounts of data. To handle this data, effective data storage and management has required. Cloud computing (CC) is a promising solution to deal with this huge amount of data. Electronic devices are collecting real‐time data from sensors and applications through a wireless communication channel in the digital era. In some cases, CC cannot protect against various malicious attacks in the wireless communication channel. To address this issue, we have used machine learning (ML) and deep learning (DL) techniques for attack detection in a wireless channel on an early basis. It trains a model to predict malicious activities of attackers, which aids in the security of CC's sensitive data. We employed adversarial learning techniques (AL) to add fake data into the model to ensure that the trained model was correct. The trained model can distinguish between the fake and real data from the training samples and improve the training samples' performance. AL provides different defense mechanisms to preserve the privacy of ML‐ and DL‐based model but does not ensure the system's robustness. To improve the system's robustness, we have used federated learning with blockchain technology to make a system more robust, reliable, accurate, and transparent. This integration aids in providing high‐graded security against adversarial attacks. This paper presents a comprehensive review to highlight the recent improvements in AL techniques. Moreover, we explored the various AL applications in security and privacy preservation. Finally, open research issues and future directions are discussed to show future research avenues.

show abstract

“…Such transformations could be used for a pre-processing of all the training data or an addition to the existing training set. Until very recently, data transformations are also used during test time [38,40,21,15,42] to improve learning models, e.g., adversarial robustness [38]. However, it remains unclear whether and how data transformation can improve FL particularly under different client heterogeneity.…”

Section: Introductionmentioning

confidence: 99%

Addressing Heterogeneity in Federated Learning via Distributional Transformation

Yuan

Hui

Yang

et al. 2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Federated learning (FL) allows multiple clients to collaboratively train a deep learning model. One major challenge of FL is when data distribution is heterogeneous, i.e., differs from one client to another. Existing personalized FL algorithms are only applicable to narrow cases, e.g., one or two data classes per client, and therefore they do not satisfactorily address FL under varying levels of data heterogeneity. In this paper, we propose a novel framework, called DisTrans, to improve FL performance (i.e., model accuracy) via train and test-time distributional transformations along with a double-input-channel model structure. Dis-Trans works by optimizing distributional offsets and models for each FL client to shift their data distribution, and aggregates these offsets at the FL server to further improve performance in case of distributional heterogeneity. Our evaluation on multiple benchmark datasets shows that DisTrans outperforms state-of-the-art FL methods and data augmentation methods under various settings and different degrees of client distributional heterogeneity.

show abstract

Enhancing Adversarial Robustness via Test-time Transformation Ensembling

Cited by 11 publications

References 22 publications

Combating Adversaries with Anti-adversaries

Combating Adversaries with Anti-adversaries

Adversarial learning techniques for security and privacy preservation: A comprehensive review

Addressing Heterogeneity in Federated Learning via Distributional Transformation

Contact Info

Product

Resources

About