Robustness and Transferability of Universal Attacks on Compressed Models

Matachana, Alberto G.; Co, Kenneth T.; Muñoz-González, Luis; Martinez, David; Lupu, Emil C.

doi:10.48550/arxiv.2012.06024

Cited by 1 publication

(1 citation statement)

References 28 publications

(43 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…UAP present a systemic risk, as they enable practical and physically realizable adversarial attacks. They have been demonstrated in many widely-used and safety-critical applications such as camera-based computer vision [7,8,2,18] and LiDAR-based object detection [10,11]. UAPs have also been shown to facilitate realistic attacks in both the physical [23] and digital [24] domains.…”

Section: Introductionmentioning

confidence: 99%

Jacobian Ensembles Improve Robustness Trade-offs to Adversarial Attacks

Co¹,

Martínez-Rego²,

Hau³

et al. 2022

Preprint

Self Cite

View full text Add to dashboard Cite

Deep neural networks have become an integral part of our software infrastructure and are being deployed in many widely-used and safety-critical applications. However, their integration into many systems also brings with it the vulnerability to test time attacks in the form of Universal Adversarial Perturbations (UAPs). UAPs are a class of perturbations that when applied to any input causes model misclassification. Although there is an ongoing effort to defend models against these adversarial attacks, it is often difficult to reconcile the trade-offs in model accuracy and robustness to adversarial attacks. Jacobian regularization has been shown to improve the robustness of models against UAPs, whilst model ensembles have been widely adopted to improve both predictive performance and model robustness. In this work, we propose a novel approach, Jacobian Ensembles -a combination of Jacobian regularization and model ensembles to significantly increase the robustness against UAPs whilst maintaining or improving model accuracy. Our results show that Jacobian Ensembles achieves previously unseen levels of accuracy and robustness, greatly improving over previous methods that tend to skew towards only either accuracy or robustness.

show abstract