Sparsity-based Defense Against Adversarial Attacks on Linear Classifiers

Marzi, Zhinus; Gopalakrishnan, Soorya; Madhow, Upamanyu; Pedarsani, Ramtin

doi:10.1109/isit.2018.8437638

Cited by 26 publications

(20 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Previous studies have investigated the effectiveness of using sparsity as a defense against such adversarial perturbations. For example, Z. Marzi et al [5] shows that enforcing sparsity by taking the K out of N largest elements in magnitude, and zeroing the rest, for an inputted classifier sample in the wavelet domain, successfully decreases the misclassification caused by an adversarial attack on a Support Vector Machine (SVM). Furthermore, A. N. Bhagoji et al [6] shows that projecting high dimensional data onto a lower dimensional subspace using Principle Component Analysis (PCA) is effective in decreasing adversarial success.…”

Section: A Related Workmentioning

confidence: 99%

“…More specifically, the injection of visually imperceptible l 2 and l ∞ bounded perturbations into the input testing data has shown to render even the most robust classifiers useless. For example, both Support Vector Machines (SVMs) and Artificial Neural Networks with robust classification metrics have resulted in nearly 0% accuracy when processing perturbed data [5] [6]. This paper presents novel defense strategies, which are not only capable of combatting such adversarial attacks, but are also more robust than current standards in the literature.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Combatting Adversarial Attacks through Denoising and Dimensionality Reduction: A Cascaded Autoencoder Approach

Sahay¹,

Mahfuz²,

Gamal³

2019

2019 53rd Annual Conference on Information Sciences and Systems (CISS)

View full text Add to dashboard Cite

Machine Learning models are vulnerable to adversarial attacks that rely on perturbing the input data. This work proposes a novel strategy using Autoencoder Deep Neural Networks to defend a machine learning model against two gradient-based attacks: The Fast Gradient Sign attack and Fast Gradient attack. First we use an autoencoder to denoise the test data, which is trained with both clean and corrupted data. Then, we reduce the dimension of the denoised data using the hidden layer representation of another autoencoder. We perform this experiment for multiple values of the bound of adversarial perturbations, and consider different numbers of reduced dimensions. When the test data is preprocessed using this cascaded pipeline, the tested deep neural network classifier yields a much higher accuracy, thus mitigating the effect of the adversarial perturbation.

show abstract

Section: A Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Combatting Adversarial Attacks through Denoising and Dimensionality Reduction: A Cascaded Autoencoder Approach

Sahay¹,

Mahfuz²,

Gamal³

2019

2019 53rd Annual Conference on Information Sciences and Systems (CISS)

View full text Add to dashboard Cite

show abstract

“…Although we do not provide decision-based attack results, other empirical work suggests that robustness in this regime can be improved with population nonlinearities, sparsity, and recurrence. For example, robustness to decision-based attacks has been shown by imposing sparsification ( Marzi, Gopalakrishnan, Madhow, & Pedarsani, 2018 ; Alexos, Panousis, & Chatzis, 2020 ), recurrence ( Krotov & Hopfield, 2018 ; Yan et al, 2019 ), and specifically with the LCA network ( Springer, Strauss, Thresher, Kim, & Kenyon, 2018 ; Kim, Yarnall, Shah, & Kenyon, 2019 ; Kim, Rego, Watkins, & Kenyon, 2020 ). We offer a theoretical explanation for these findings.…”

Section: Discussionmentioning

confidence: 99%

Selectivity and robustness of sparse coding networks

et al. 2020

View full text Add to dashboard Cite

We investigate how the population nonlinearities resulting from lateral inhibition and thresholding in sparse coding networks influence neural response selectivity and robustness. We show that when compared to pointwise nonlinear models, such population nonlinearities improve the selectivity to a preferred stimulus and protect against adversarial perturbations of the input. These findings are predicted from the geometry of the single-neuron iso-response surface, which provides new insight into the relationship between selectivity and adversarial robustness. Inhibitory lateral connections curve the iso-response surface outward in the direction of selectivity. Since adversarial perturbations are orthogonal to the iso-response surface, adversarial attacks tend to be aligned with directions of selectivity. Consequently, the network is less easily fooled by perceptually irrelevant perturbations to the input. Together, these findings point to benefits of integrating computational principles found in biological vision systems into artificial neural networks.

show abstract

“…In [41] it was observed that, if the input dimension is huge, even tiny perturbations, distinguishing an original from an adversarial image, can accumulate into an inner product with a weight vector to produce a huge distortion which sets the DNN astray onto a wrong classification. Subsequently, work in [70,71] proposes to combat such dimensionality phenomenon with a sparsifying front end which projects the input towards a lower dimensional space. Alternatively, [72] incorporates a subnetwork trained to distinguish legitimate from adversarial images.…”

Section: Related Workmentioning

confidence: 99%

Countering Acoustic Adversarial Attacks in Microphone-equipped Smart Home Devices

Bhattacharya

Manousakas

Ramos

et al. 2020

Proc. ACM Interact. Mob. Wearable Ubiquitous Technol.

View full text Add to dashboard Cite

Deep neural networks (DNNs) continue to demonstrate superior generalization performance in an increasing range of applications, including speech recognition and image understanding. Recent innovations in compression algorithms, design of efficient architectures and hardware accelerators have prompted a rapid growth in deploying DNNs on mobile and IoT devices to redefine user experiences. Relying on the superior inference quality of DNNs, various voice-enabled devices have started to pervade our everyday lives and are increasingly used for, e.g., opening and closing doors, starting or stopping washing machines, ordering products online, and authenticating monetary transactions. As the popularity of these voice-enabled services increases, so does their risk of being attacked. Recently, DNNs have been shown to be extremely brittle under adversarial attacks and people with malicious intentions can potentially exploit this vulnerability to compromise DNN-based voice-enabled systems. Although some existing work already highlights the vulnerability of audio models, very little is known of the behaviour of compressed on-device audio models under adversarial attacks. This paper bridges this gap by investigating thoroughly the vulnerabilities of compressed audio DNNs and makes a stride towards making compressed models robust. In particular, we propose a stochastic compression technique that generates compressed models with greater robustness to adversarial attacks. We present an extensive set of evaluations on adversarial vulnerability and robustness of DNNs in two diverse audio recognition tasks, while considering two popular attack algorithms: FGSM and PGD. We found that error rates of conventionally trained audio DNNs under attack can be as high as 100%. Under both white-and black-box attacks, our proposed approach is found to decrease the error rate of DNNs under attack by a large margin.

show abstract

Sparsity-based Defense Against Adversarial Attacks on Linear Classifiers

Cited by 26 publications

References 6 publications

Combatting Adversarial Attacks through Denoising and Dimensionality Reduction: A Cascaded Autoencoder Approach

Combatting Adversarial Attacks through Denoising and Dimensionality Reduction: A Cascaded Autoencoder Approach

Selectivity and robustness of sparse coding networks

Countering Acoustic Adversarial Attacks in Microphone-equipped Smart Home Devices

Contact Info

Product

Resources

About