Exploring Misclassifications of Robust Neural Networks to Enhance Adversarial Attacks

Schwinn, Leo; Raab, René; Nguyen, An; Zanca, Dario; Eskofier, Bjoern M.

doi:10.48550/arxiv.2105.10304

Cited by 5 publications

(9 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…the next best method. Additionally, we find that SwARo is performing 4 − 9% better compared to baselines on Jitter attacks, an adversarial attack method that incorporates scale invariance and encourages diverse attack targets with smaller perturbations Schwinn et al [2021]. These results make SwARo more appealing in practice and suggest that our approach to enforcing adversarial perturbations, that consider both positive and negative pairs as well as semantic cluster information, ensures robustness against a diverse set of attack types.…”

Section: White Box Attacksmentioning

confidence: 76%

“…Ilyas et al [2019] hypothesize that the adversarial vulnerability of neural networks is a direct result of their sensitivity to well-generalizing features that are incomprehensible to humans. Schwinn et al [2021] discover that cross-entropy attacks fail against models with large logits, and propose to add logit noise and enforce scale invariance on the loss to mitigate this limitation and encourage the model to design diverse attack targets. All above methods are originally designed for supervised learning tasks.…”

Section: Related Workmentioning

confidence: 99%

“…In addition to PGD, we also experiment with several additional state-of-the-art white-box attacks BIM Kurakin et al [2017], FGSM Goodfellow et al [2014], Jitter Schwinn et al [2021]. SwARo outperforms baselines across all untargeted and targeted white-box attacks, showing consistent robust accuracy gains (Table 3).…”

Section: White Box Attacksmentioning

confidence: 99%

“…𝛿 𝑖 is the adversarial perturbation and subsequently 𝑥 𝑖 + 𝛿 𝑖 is an adversarial example. There have been several gradient-based methods proposed to solve the inner maximization problem, essentially adjusting 𝛿 𝑖 in the direction that maximizes the gradient∇ 𝛿 𝑖 L 𝐶𝐸 ( 𝑓 𝜃 (𝑥 𝑖 + 𝛿 𝑖 ), 𝑦 𝑖 ) Goodfellow et al [2014],Kurakin et al [2017],Madry et al [2018],,Croce and Hein [2020],Schwinn et al [2021]. For example, the Projected Gradient Descent (PGD)Madry et al [2018] iterates over gradient steps and adjusts 𝛿 accordingly:…”

mentioning

confidence: 99%

See 3 more Smart Citations

Adversarial Contrastive Learning by Permuting Cluster Assignments

Wahed¹,

Tabassum²,

Lourentzou³

2022

Preprint

View full text Add to dashboard Cite

Contrastive learning has gained popularity as an effective self-supervised representation learning technique. Several research directions improve traditional contrastive approaches, e.g., prototypical contrastive methods better capture the semantic similarity among instances and reduce the computational burden by considering cluster prototypes or cluster assignments, while adversarial instance-wise contrastive methods improve robustness against a variety of attacks. To the best of our knowledge, no prior work jointly considers robustness, cluster-wise semantic similarity and computational efficiency. In this work, we propose SwARo, an adversarial contrastive framework that incorporates cluster assignment permutations to generate representative adversarial samples. We evaluate SwARo on multiple benchmark datasets and against various white-box and black-box attacks, obtaining consistent improvements over state-of-the-art baselines.Preprint. Under review.

show abstract

Section: White Box Attacksmentioning

confidence: 76%

Section: Related Workmentioning

confidence: 99%

Section: White Box Attacksmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Adversarial Contrastive Learning by Permuting Cluster Assignments

Wahed¹,

Tabassum²,

Lourentzou³

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…We adopt FGSM [9], I-FGSM [11], C&W [24], TPGD [38], and Jitter [39] as the comparison methods, along with the proposed Mixup-Attack and Mixcut-Attack methods, to conduct the untargeted black-box adversarial attack for both scene classification and semantic segmentation tasks. The perturbation level and the step size α in all methods are fixed to 1.…”

Section: B Experimental Settings and Implementation Detailsmentioning

confidence: 99%

Universal Adversarial Examples in Remote Sensing: Methodology and Benchmark

Ghamisi

2022

IEEE Trans. Geosci. Remote Sensing

View full text Add to dashboard Cite

Deep neural networks have achieved great success in many important remote sensing tasks. Nevertheless, their vulnerability to adversarial examples should not be neglected. In this study, we systematically analyze the universal adversarial examples in remote sensing data for the first time, without any knowledge from the victim model. Specifically, we propose a novel black-box adversarial attack method, namely Mixup-Attack, and its simple variant Mixcut-Attack, for remote sensing data. The key idea of the proposed methods is to find common vulnerabilities among different networks by attacking the features in the shallow layer of a given surrogate model. Despite their simplicity, the proposed methods can generate transferable adversarial examples that deceive most of the state-of-the-art deep neural networks in both scene classification and semantic segmentation tasks with high success rates. We further provide the generated universal adversarial examples in the dataset named UAE-RS, which is the first dataset that provides black-box adversarial samples in the remote sensing field. We hope UAE-RS may serve as a benchmark that helps researchers to design deep neural networks with strong resistance toward adversarial attacks in the remote sensing field. Codes and the UAE-RS dataset will be available online 1 .

show abstract

Robust Object Detection Against Multi-Type Corruption Without Catastrophic Forgetting During Adversarial Training Under Harsh Autonomous-Driving Environments

Kim

Shin

2023

IEEE Access

View full text Add to dashboard Cite

It is important to build robust object detector (ROD) in real-world applications because snow, rain, fog, motion blur, and various kinds of corruption can occur in autonomous-driving environments. Adversarial training (AT) is one of the best solutions to build a robust deep neural network. However, applying AT has a risk of sacrificing clean performance, even though robustness is improved, which is called catastrophic forgetting (CF). In particular, CF in an autonomous-driving environment is more challenging for two reasons. The first is CF is worsened due to various types of corruption. The second is the degradation of clean performance can lead to a risk of overall performance degradation because more than 60% of the total data is clean (based on Bdd100k). Therefore, we propose an ROD framework to ensure not only robustness against corruption but also prevent degradation of clean performance, despite the two aforementioned difficulties. The ROD framework utilizes a training methodology with an adversarial defense module (ADM) based on the intermediate representative feature (IRF) concept. This framework can improve robustness without CF under multi-corruption environments. In this paper, we report on three main achievements. The first is that the mean performance under corruption (mPC) of RetinaNet was improved by 32.14% with an mAP degradation of only 0.2%, based on COCO 2017. The second is that our method achieved state-of-the art results with 86.8% relative performance under corruption (rPC) compared to Hybrid Task Cascades with 64.6% rPC on the ROD benchmark. The third is that our ROD methodology achieved 32.29% and 31.54% mPC at 15-type seen corruption and four-type unseen corruption, respectively. The ROD framework is also applied to an autonomous-driving domain showing that it operates well, even under harsh environments in the Bdd100k dataset.

show abstract

Exploring Misclassifications of Robust Neural Networks to Enhance Adversarial Attacks

Cited by 5 publications

References 5 publications

Adversarial Contrastive Learning by Permuting Cluster Assignments

Adversarial Contrastive Learning by Permuting Cluster Assignments

Universal Adversarial Examples in Remote Sensing: Methodology and Benchmark

Robust Object Detection Against Multi-Type Corruption Without Catastrophic Forgetting During Adversarial Training Under Harsh Autonomous-Driving Environments

Contact Info

Product

Resources

About