Towards evolving robust neural architectures to defend from adversarial attacks

Kotyan, Shashank; Vargas, Danilo

doi:10.1145/3377929.3389962

Cited by 18 publications

(14 citation statements)

References 5 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Because their method results in a huge computational burden, RobNet uses a narrow search space with only three possible operations. RAS [33], an EA-based method, uses adversarial examples from a separate victim model to measure the robustness of candidate architectures, but their approach and objective are restricted to improving the robustness under black-box attacks. RACL [16], a gradient-based method, suggests to use the Lipschitz characteristics of the architecture parameters to achieve the target Lipschitz constant.…”

Section: Neural Architecture Searchmentioning

confidence: 99%

AdvRush: Searching for Adversarially Robust Neural Architectures

Mok

Choe

et al. 2021

Preprint

View full text Add to dashboard Cite

Deep neural networks continue to awe the world with their remarkable performance. Their predictions, however, are prone to be corrupted by adversarial examples that are imperceptible to humans. Current efforts to improve the robustness of neural networks against adversarial examples are focused on developing robust training methods, which update the weights of a neural network in a more robust direction. In this work, we take a step beyond training of the weight parameters and consider the problem of designing an adversarially robust neural architecture with high intrinsic robustness. We propose AdvRush, a novel adversarial robustness-aware neural architecture search algorithm, based upon a finding that independent of the training method, the intrinsic robustness of a neural network can be represented with the smoothness of its input loss landscape. Through a regularizer that favors a candidate architecture with a smoother input loss landscape, AdvRush successfully discovers an adversarially robust neural architecture. Along with a comprehensive theoretical motivation for Ad-vRush, we conduct an extensive amount of experiments to demonstrate the efficacy of AdvRush on various benchmark datasets. Notably, on CIFAR-10, AdvRush achieves 55.91% robust accuracy under FGSM attack after standard training and 50.04% robust accuracy under AutoAttack after 7-step PGD adversarial training.

show abstract

Section: Neural Architecture Searchmentioning

confidence: 99%

AdvRush: Searching for Adversarially Robust Neural Architectures

Mok

Choe

et al. 2021

Preprint

View full text Add to dashboard Cite

show abstract

“…In contrast, some studies reduce transferability by decreasing the magnitude of input gradients [40,41] and by reversing their direction [26,27]. However, only a limited number of studies, which have been published very recently, consider network architecture design to alleviate transferability [13,14,17,19,20]. By observation, the extent of transferability of adversarial examples between two models increases with architectural similarities.…”

Section: Related Work a Transferability Of Adversarial Examplesmentioning

confidence: 99%

“…In some studies, neuroevolution has been used for adversarial defense. In [14], neuroevolution was used to find networks that are robust against adversarial examples, although an exhaustive search in a large search space is required. Another study has employed a different NAS called differentiable architecture search (DARTS) [12] to find robust networks, which has been shown to be effective only for weak adversarial attacks [13].…”

Section: B Architecture Searchmentioning

confidence: 99%

“…A differentiable architecture search (DARTS) [12] has been used to find robust networks; however, it only works well with weak adversarial attacks [13]. In another study, neuroevolution has been employed to identify robust networks through an exhaustive search in a large search space [14]. Several studies have included adversarial training [15,16] in network architecture search to improve the search efficiency and robustness of the network.…”

Section: Introductionmentioning

confidence: 99%

“…Notably, the neuroevolution designed in this study is more efficient than other neuroevolutionbased architecture search in related studies. Kotyan and Vargas [14] proposed a powerful evolutionary method which includes block-wise, layer-wise, and model-wise evolution that pursues adversarially robust networks. Although with a considerably large number of generations, their method can discover robust networks, the exhaustive evolution requires a high computational cost.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Evolving Architectures With Gradient Misalignment Toward Low Adversarial Transferability

Operiano¹,

Pora

Iba³

et al. 2021

IEEE Access

View full text Add to dashboard Cite

Deep neural network image classifiers are known to be susceptible, not only to adversarial examples created for them, but also to those created for others. This phenomenon poses a potential security risk in various black-box systems that rely on image classifiers. One of the observations on networks that have transferability of adversarial examples between them is the similarity of their architectures. Networks with high architectural similarity tend to share high transferability as well. Thus, in this study, we address this problem from a novel perspective by investigating the contribution of network architecture to transferability. Specifically, we propose an architecture searching framework that employs neuroevolution to evolve network architectures and gradient misalignment loss to encourage networks to converge into dissimilar functions after training. Our findings indicate that the proposed framework successfully discovers architectures that reduce transferability from four standard networks, including ResNet and VGG, while maintaining good accuracy on unperturbed images. In addition, the evolved networks trained with gradient misalignment exhibit significantly lower transferability than a standard network trained with gradient misalignment, which indicates that network architecture plays an important role in reducing transferability. We demonstrate that designing or exploring proper network architectures is a promising approach to tackle the transferability issue and train adversarially robust image classifiers.

show abstract

Deriving and evaluating a fault model for testing data science applications

Jilani

Sherin

Ijaz

et al. 2022

J Software Evolu Process

View full text Add to dashboard Cite

Data science (DS) applications not only suffer from traditional software faults but may also suffer from data‐specific and model‐related faults. Fault models play an important role in evaluating and designing tests for testing DS applications. The existing fault models do not consider DS specific faults. In this study, we built a fault model DS applications. We investigate the faults by using diverse approaches: (i) a multi‐vocal literature survey of published literature, (ii) semi‐structured interviews of industry experts. The Multi‐vocal study allows us to synthesize the existing knowledge from researchers and practitioners. Qualitative data from semi‐structured interviews provide us with insights into the nature of faults encountered by practitioners. We combine the results of (i) and (ii) to derive a detailed fault model. The developed fault model is further validated through a quantitative survey of industry practitioners, and the respondents were asked to identify the faults from our proposed fault model that they have experienced and classify those faults based on their severity as perceived by practitioners and its frequency. The results show that practitioners consider prediction bias and model decay as the most severe faults while data sampling and splitting faults along with feature engineering faults are the most frequent.

show abstract

Towards evolving robust neural architectures to defend from adversarial attacks

Cited by 18 publications

References 5 publications

AdvRush: Searching for Adversarially Robust Neural Architectures

AdvRush: Searching for Adversarially Robust Neural Architectures

Evolving Architectures With Gradient Misalignment Toward Low Adversarial Transferability

Deriving and evaluating a fault model for testing data science applications

Contact Info

Product

Resources

About