Robustness Certificates for Sparse Adversarial Attacks by Randomized Ablation

Levine, Alexander; Feizi, Soheil

doi:10.1609/aaai.v34i04.5888

Cited by 69 publications

(113 citation statements)

References 8 publications

Supporting

Mentioning

113

Contrasting

Order By: Relevance

“…Graph is essentially binary data, i.e., a pair of nodes can be either connected or unconnected. For binary data, a randomized smoothing method called randomized subsampling [27] achieves state-of-the-art certified robustness. Therefore, we design our certified defense based on randomized subsampling.…”

Section: Overviewmentioning

confidence: 99%

“…Randomized smoothing: Randomized smoothing [4,10,19,24,25,27,28,32] is state-of-the-art technique to build provably robust machine learning. Compared with other certified defense mechanisms, randomized smoothing has two key advantages: 1) scalable to large neural networks, and 2) applicable to arbitrary classifiers.…”

Section: Related Workmentioning

confidence: 99%

“…All these randomized smoothing methods add additive noise to a testing example. Levine et al [27] proposed randomized subsampling, which does not use additive noise and achieves state-of-the-art ℓ 0 norm certified robustness. We extend randomized subsampling to defend against our backdoor attacks.…”

Section: Related Workmentioning

confidence: 99%

“…Graph is binary data, i.e., a pair of nodes can be connected or unconnected. Randomized subsampling [27] is state-of-the-art randomized smoothing method for binary data. Therefore, we generalize randomized subsampling to defend against our backdoor attacks.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Backdoor Attacks to Graph Neural Networks

Zhang

Jia

Wang

et al. 2021

Proceedings of the 26th ACM Symposium on Access Control Models and Technologies

128

View full text Add to dashboard Cite

In this work, we propose the first backdoor attack to graph neural networks (GNN). Specifically, we propose a subgraph based backdoor attack to GNN for graph classification. In our backdoor attack, a GNN classifier predicts an attacker-chosen target label for a testing graph once a predefined subgraph is injected to the testing graph. Our empirical results on three real-world graph datasets show that our backdoor attacks are effective with a small impact on a GNN's prediction accuracy for clean testing graphs. Moreover, we generalize a randomized smoothing based certified defense to defend against our backdoor attacks. Our empirical results show that the defense is effective in some cases but ineffective in other cases, highlighting the needs of new defenses for our backdoor attacks. CCS Concepts• Security and privacy; Computing methodologies → Machine learning.

show abstract

Section: Overviewmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Backdoor Attacks to Graph Neural Networks

Zhang

Jia

Wang

et al. 2021

Proceedings of the 26th ACM Symposium on Access Control Models and Technologies

128

View full text Add to dashboard Cite

show abstract

“…Our defense strategy consists of two parts: image ablation and certificate retraining crowd counting models. The first step is inspired by the recent advance in image classifier certification [23]. Specifically, randomized ablation is effective against APAM attacks because the ablation results of normal image 𝑥 and adversarially perturbed image x are likely to be same (e.g., retaining 45 pixels for each images in Fig.…”

Section: Introductionmentioning

confidence: 99%

Towards Adversarial Patch Analysis and Certified Defense against Crowd Counting

Zou

Zhou

et al. 2021

Proceedings of the 29th ACM International Conference on Multimedia

View full text Add to dashboard Cite

Crowd counting has drawn much attention due to its importance in safety-critical surveillance systems. Especially, deep neural network (DNN) methods have significantly reduced estimation errors for crowd counting missions. Recent studies have demonstrated that DNNs are vulnerable to adversarial attacks, i.e., normal images with human-imperceptible perturbations could mislead DNNs to make false predictions. In this work, we propose a robust attack strategy called Adversarial Patch Attack with Momentum (APAM) to systematically evaluate the robustness of crowd counting models, where the attacker's goal is to create an adversarial perturbation that severely degrades their performances, thus leading to public safety accidents (e.g., stampede accidents). Especially, the proposed attack leverages the extreme-density background information of input images to generate robust adversarial patches via a series of transformations (e.g., interpolation, rotation, etc.). We observe that by perturbing less than 6% of image pixels, our attacks severely degrade the performance of crowd counting systems, both digitally and physically. To better enhance the adversarial robustness of crowd counting models, we propose the first regression modelbased Randomized Ablation (RA), which is more sufficient than Adversarial Training (ADT) (Mean Absolute Error of RA is 5 lower than ADT on clean samples and 30 lower than ADT on adversarial examples). Extensive experiments on five crowd counting models demonstrate the effectiveness and generality of the proposed method.

show abstract

ViP: Unified Certified Detection and Recovery for Patch Attack with Vision Transformers

Zhang

Xie

2022

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Robustness Certificates for Sparse Adversarial Attacks by Randomized Ablation

Cited by 69 publications

References 8 publications

Backdoor Attacks to Graph Neural Networks

Backdoor Attacks to Graph Neural Networks

Towards Adversarial Patch Analysis and Certified Defense against Crowd Counting

ViP: Unified Certified Detection and Recovery for Patch Attack with Vision Transformers

Contact Info

Product

Resources

About