Improving Adversarial Robustness via Guided Complement Entropy

Chen, Haoyun; Liang, Jhao-Hong; Chang, Shih-Chieh; Pan, Jia-Yu; Chen, Yuting; Wei, Wei; Juan, Da-Cheng

doi:10.48550/arxiv.1903.09799

Cited by 3 publications

(4 citation statements)

References 15 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…From the defenders' side, recently proposed methods for improving the safety of deep learning systems include [2][3][4]9,12,18,19,21,26,27,31,32,34,37,40,43,45,47,50,53,56,57]. Most of these methods fall broadly into the following several classes: (1) adversarial training where the adversarial samples are used for retraining the deep learning systems [3,22,45,48,50]; (2) gradient masking where the deep learning system is designed to have an extremely flat loss function landscape with respect to the perturbations in input samples [4,40]; (3) feature discretization where we simply discretize the features of samples (both benign samples and adversarial samples) before we feed it to the deep learning systems [37,57]; (4) generative model based approach where we find a sample from the distribution of benign samples to approximate an arbitrary given sample, and then use the approximation as input for the deep learning systems [18,21,26,31,32,43,47].…”

Section: Related Workmentioning

confidence: 99%

“…following the standard Gaussian distribution N (0, 1). From the concentration of measure [15], for any positive < 1, 12 .…”

Section: Classifiers With Linear Compression Functionsmentioning

confidence: 99%

“…This means the ∇h(x)o is concentrated at E ∇h(x) { ∇h(x)o } which is less than √ M . Thus, combining (12) and ( 14), we have with high probability…”

Section: Nonlinear Decision Statistics In Ai Classifiersmentioning

confidence: 99%

“…The readers are invited to see Table 3 and Figure 8a for performance of FNN pixel predictor trained on benign samples in class 0, and evaluated over adversarial samples from other classes which are misclassified as class 0. See Table 11,12,13,14,15,16,17,18,19 and Figure 8b,16a,16b,17a,17b,18a,18b,19a,19b in Appendix for other cases. Similarly for CRS pattern, we consider a given target class, and generate adversarial samples from all the rest 9 classes which are misclassified by the classifier as this target class.…”

Section: Effects Of Sampling Percentagementioning

confidence: 99%

See 3 more Smart Citations

Trust but Verify: An Information-Theoretic Explanation for the Adversarial Fragility of Machine Learning Systems, and a General Defense against Adversarial Attacks

Yi¹,

Xie²,

Zhou³

et al. 2019

Preprint

View full text Add to dashboard Cite

Deep-learning based classification algorithms have been shown to be susceptible to adversarial attacks: minor changes to the input of classifiers can dramatically change their outputs, while being imperceptible to humans. In this paper, we present a simple hypothesis about a feature compression property of artificial intelligence (AI) classifiers and present theoretical arguments to show that this hypothesis successfully accounts for the observed fragility of AI classifiers to small adversarial perturbations. Drawing on ideas from information and coding theory, we propose a general class of defenses for detecting classifier errors caused by abnormally small input perturbations. We further show theoretical guarantees for the performance of this detection method. We present experimental results with (a) a voice recognition system, and (b) a digit recognition system using the MNIST database, to demonstrate the effectiveness of the proposed defense methods. The ideas in this paper are motivated by a simple analogy between AI classifiers and the standard Shannon model of a communication system.

show abstract

Section: Related Workmentioning

confidence: 99%

“…following the standard Gaussian distribution N (0, 1). From the concentration of measure [15], for any positive < 1, 12 .…”

Section: Classifiers With Linear Compression Functionsmentioning

confidence: 99%

“…This means the ∇h(x)o is concentrated at E ∇h(x) { ∇h(x)o } which is less than √ M . Thus, combining (12) and ( 14), we have with high probability…”

Section: Nonlinear Decision Statistics In Ai Classifiersmentioning

confidence: 99%

Section: Effects Of Sampling Percentagementioning

confidence: 99%

See 2 more Smart Citations

Trust but Verify: An Information-Theoretic Explanation for the Adversarial Fragility of Machine Learning Systems, and a General Defense against Adversarial Attacks

Yi¹,

Xie²,

Zhou³

et al. 2019

Preprint

View full text Add to dashboard Cite

show abstract

Improving Adversarial Robustness via Probabilistically Compact Loss with Logit Constraints

Deng

et al. 2021

AAAI

View full text Add to dashboard Cite

Convolutional neural networks (CNNs) have achieved state-of-the-art performance on various tasks in computer vision. However, recent studies demonstrate that these models are vulnerable to carefully crafted adversarial samples and suffer from a significant performance drop when predicting them. Many methods have been proposed to improve adversarial robustness (e.g., adversarial training and new loss functions to learn adversarially robust feature representations). Here we offer a unique insight into the predictive behavior of CNNs that they tend to misclassify adversarial samples into the most probable false classes. This inspires us to propose a new Probabilistically Compact (PC) loss with logit constraints which can be used as a drop-in replacement for cross-entropy (CE) loss to improve CNN's adversarial robustness. Specifically, PC loss enlarges the probability gaps between true class and false classes meanwhile the logit constraints prevent the gaps from being melted by a small perturbation. We extensively compare our method with the state-of-the-art using large scale datasets under both white-box and black-box attacks to demonstrate its effectiveness. The source codes are available at https://github.com/xinli0928/PC-LC.

show abstract

Learning with Hierarchical Complement Objective

Chen¹,

Tsai²,

Chang³

et al. 2019

Preprint

View full text Add to dashboard Cite

Label hierarchies widely exist in many vision-related problems, ranging from explicit label hierarchies existed in image classification to latent label hierarchies existed in semantic segmentation. Nevertheless, state-of-the-art methods often deploy cross-entropy loss that implicitly assumes class labels to be exclusive and thus independence from each other. Motivated by the fact that classes from the same parental category usually share certain similarity, we design a new training diagram called Hierarchical Complement Objective Training (HCOT) that leverages the information from label hierarchy. HCOT maximizes the probability of the ground truth class, and at the same time, neutralizes the probabilities of rest of the classes in a hierarchical fashion, making the model take advantage of the label hierarchy explicitly. The proposed HCOT is evaluated on both image classification and semantic segmentation tasks. Experimental results confirm that HCOT outperforms state-of-the-art models in CIFAR-100, ImageNet-2012, and PASCAL-Context. The study further demonstrates that HCOT can be applied on tasks with latent label hierarchies, which is a common characteristic in many machine learning tasks.

show abstract

Improving Adversarial Robustness via Guided Complement Entropy

Cited by 3 publications

References 15 publications

Trust but Verify: An Information-Theoretic Explanation for the Adversarial Fragility of Machine Learning Systems, and a General Defense against Adversarial Attacks

Trust but Verify: An Information-Theoretic Explanation for the Adversarial Fragility of Machine Learning Systems, and a General Defense against Adversarial Attacks

Improving Adversarial Robustness via Probabilistically Compact Loss with Logit Constraints

Learning with Hierarchical Complement Objective

Contact Info

Product

Resources

About