Is Robustness the Cost of Accuracy? – A Comprehensive Study on the Robustness of 18 Deep Image Classification Models

Su, Dong; Zhang, Huan; Chen, Hongge; Yi, Jinfeng; Chen, Pin-Yu; Gao, Yupeng

doi:10.1007/978-3-030-01258-8_39

Cited by 260 publications

(232 citation statements)

References 32 publications

(35 reference statements)

Supporting

Mentioning

213

Contrasting

Order By: Relevance

“…It is important to note that x may not necessarily follow the distribution D. Thus, the studies on adversarial examples are different from these on model generalization. Moreover, a number of studies reported the relation between these two properties Su et al, 2018;Stutz et al, 2019;Zhang et al, 2019b). From our clarification, we hope that our audience get the difference and relation between risk and adversarial risk, and the importance of studying adversarial countermeasures.…”

Section: Adversarial Risk Vs Riskmentioning

confidence: 99%

Adversarial Attacks and Defenses in Images, Graphs and Text: A Review

Liu

et al. 2020

Int. J. Autom. Comput.

447

215

View full text Add to dashboard Cite

Deep neural networks (DNN) have achieved unprecedented success in numerous machine learning tasks in various domains. However, the existence of adversarial examples has raised concerns about applying deep learning to safety-critical applications. As a result, we have witnessed increasing interests in studying attack and defense mechanisms for DNN models on different data types, such as images, graphs and text. Thus, it is necessary to provide a systematic and comprehensive overview of the main threats of attacks and the success of corresponding countermeasures. In this survey, we review the state of the art algorithms for generating adversarial examples and the countermeasures against adversarial examples, for the three popular data types, i.e., images, graphs and text.

show abstract

Section: Adversarial Risk Vs Riskmentioning

confidence: 99%

Adversarial Attacks and Defenses in Images, Graphs and Text: A Review

Liu

et al. 2020

Int. J. Autom. Comput.

447

215

View full text Add to dashboard Cite

show abstract

“…A number of stochastic and non-differentiable defenses have been proposed and subsequently shown to be vulnerable to attacks which take these qualities into account [9]. Still other defense papers have focused on defense against specifically single-step attacks [21], were marginally less effective versions of the previously mentioned, state-of-the-art approaches [22], or focused on the natural defensive qualities of different architectures rather than ways of improving their defenses [23].…”

Section: Related Workmentioning

confidence: 99%

Adversarial explanations for understanding image classification decisions and improved neural network robustness

2019

View full text Add to dashboard Cite

For sensitive problems, such as medical imaging or fraud detection, Neural Network (NN) adoption has been slow due to concerns about their reliability, leading to a number of algorithms for explaining their decisions. NNs have also been found vulnerable to a class of imperceptible attacks, called adversarial examples, which arbitrarily alter the output of the network. Here we demonstrate both that these attacks can invalidate prior attempts to explain the decisions of NNs, and that with very robust networks, the attacks themselves may be leveraged as explanations with greater fidelity to the model. We show that the introduction of a novel regularization technique inspired by the Lipschitz constraint, alongside other proposed improvements, greatly improves an NN's resistance to adversarial examples. On the ImageNet classification task, we demonstrate a network with an Accuracy-Robustness Area (ARA) of 0.0053, an ARA 2.4 × greater than the previous state of the art. Improving the mechanisms by which NN decisions are understood is an important direction for both establishing trust in sensitive domains and learning more about the stimuli to which NNs respond.

show abstract

“…In this method, although one can strengthen the defending effectiveness by using adversarial examples with large distortions, it also leads to degraded classification accuracy on natural images. In fact, although the ultimate goal of defenders is to design effective defense with negligible harms on other factors, some researchers also point out the trade-off between adversarial robustness and its cost factor (such as test accuracy) may be an inevitable nature of deep neural nets [21,22].…”

Section: Introductionmentioning

confidence: 99%

AdvMS: A Multi-Source Multi-Cost Defense Against Adversarial Attacks

Wang

Chen

et al. 2020

ICASSP 2020 - 2020 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)

Self Cite

View full text Add to dashboard Cite

Designing effective defense against adversarial attacks is a crucial topic as deep neural networks have been proliferated rapidly in many security-critical domains such as malware detection and self-driving cars. Conventional defense methods, although shown to be promising, are largely limited by their single-source single-cost nature: The robustness promotion tends to plateau when the defenses are made increasingly stronger while the cost tends to amplify. In this paper, we study principles of designing multi-source and multi-cost schemes where defense performance is boosted from multiple defending components. Based on this motivation, we propose a multi-source and multi-cost defense scheme, Adversarially Trained Model Switching (AdvMS), that inherits advantages from two leading schemes: adversarial training and random model switching. We show that the multi-source nature of AdvMS mitigates the performance plateauing issue and the multi-cost nature enables improving robustness at a flexible and adjustable combination of costs over different factors which can better suit specific restrictions and needs in practice.Index Terms-Adversarial attack, adversarial robustness, stochastic defense, adversarial training.

show abstract

Is Robustness the Cost of Accuracy? – A Comprehensive Study on the Robustness of 18 Deep Image Classification Models

Cited by 260 publications

References 32 publications

Adversarial Attacks and Defenses in Images, Graphs and Text: A Review

Adversarial Attacks and Defenses in Images, Graphs and Text: A Review

Adversarial explanations for understanding image classification decisions and improved neural network robustness

AdvMS: A Multi-Source Multi-Cost Defense Against Adversarial Attacks

Contact Info

Product

Resources

About