Witchcraft: Efficient PGD Attacks with Random Step Size

Chiang, Ping-yeh; Geiping, Jonas; Goldblum, Micah; Goldstein, Tom; Ni, Renkun; Reich, Steven; Shafahi, Ali

doi:10.1109/icassp40776.2020.9052930

Cited by 9 publications

(6 citation statements)

References 6 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In this framework, we can understand backdoor attacks as choosing the optimal ∆ directly based on a given rule (here via patch insertion onto training images with the target label y adv i ), whereas optimization-based methods such as [6] optimize some approximation of the (intractable) full bilevel optimization problem. Witches' Brew [6] approximately optimizes ∆ by modifying training data so the gradient of the training objective is aligned with the gradient of the adversarial loss L F (x t i , θ(∆)), y adv i , using optimization methods based on adversarial literature [16,17].…”

Section: Threat Modelmentioning

confidence: 99%

Strong Data Augmentation Sanitizes Poisoning and Backdoor Attacks Without an Accuracy Tradeoff

Borgnia

Cherepanova

Fowl

et al. 2021

ICASSP 2021 - 2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)

Self Cite

View full text Add to dashboard Cite

Data poisoning and backdoor attacks manipulate victim models by maliciously modifying training data. In light of this growing threat, a recent survey of industry professionals revealed heightened fear in the private sector regarding data poisoning. Many previous defenses against poisoning either fail in the face of increasingly strong attacks, or they significantly degrade performance. However, we find that strong data augmentations, such as mixup and CutMix, can significantly diminish the threat of poisoning and backdoor attacks without trading off performance. We further verify the effectiveness of this simple defense against adaptive poisoning methods, and we compare to baselines including the popular differentially private SGD (DP-SGD) defense. In the context of backdoors, CutMix greatly mitigates the attack while simultaneously increasing validation accuracy by 9%.

show abstract

Section: Threat Modelmentioning

confidence: 99%

Strong Data Augmentation Sanitizes Poisoning and Backdoor Attacks Without an Accuracy Tradeoff

Borgnia

Cherepanova

Fowl

et al. 2021

ICASSP 2021 - 2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP)

Self Cite

View full text Add to dashboard Cite

show abstract

“…We evaluated the proposed MLF-DA detection accuracy on three benchmark datasets, namely CIFAR10, FashionMNIST, and CIFAR100 (14) (15) , to new attack types, namely BIM (16) , MIM (17) , MAD (18) , FGSM (19) , PGD (20) and CW (3) . Novel CNN classifiers were built for MNIST, CIFAR10, FashinMNIST, and CIFAR100, for which an accuracy of 99.20%, 92.80%, 99%, and 96%, respectively was achieved.…”

Section: Experimental Setup and Evaluationmentioning

confidence: 99%

Mitigating Gradient-Based Data Poisoning Attacks on Machine Learning Models: A Statistical Detection Method

Sanapala,

Gondi

2024

IJST

View full text Add to dashboard Cite

Objectives: This research paper aims to develop a novel method for identifying gradient-based data poisoning attacks on industrial applications like autonomous vehicles and intelligent healthcare systems relying on machine learning and deep learning techniques. These algorithms performs well only if they are trained on good quality dataset. However, the ML models are prone to data poisoning attacks, targeting the training dataset, manipulate its input samples such that the machine learning algorithm gets confused and produces wrong predictions. The current detection techniques are effective to detect known attacks and lack generalized detection to unknown attacks. To address this issue, this paper aims to integrate security elements within the machine learning framework, guaranteeing effective identification and mitigation of known and unknown threats and achieve generalized detection. Methods: ML Filter, a unique attack detection approach integrates ML-Filter Detection Algorithm and the Statistical Perturbation Bounds Identification Algorithm to determine the given dataset is poisoned or not. DBSCAN algorithm is used to divide the dataset into several smaller subsets and perform algorithmic analysis for detection. The performance of the proposed method is evaluated in terms of True positive rate and significance test accuracy. Findings: The probability distribution differences between original and poisoned datasets vary with change in perturbation size rather than the datasets and ML models use for application. This finding lead to determine the perturbation bounds using statistical pairwise distance metrics and corresponding significance tests computed on the results. ML Filter demonstrates a high detection rate of 99.63% for known attacks and achieves a generalized detection accuracy of 98% for unknown attacks. Novelty: A secured ML architecture and a unique statistical detection approach ML-Filter, effectively detect data poisoning attacks, demonstrating significant advancements in detecting both known and unknown threats in industrial applications utilizing machine learning and deep learning algorithms. Keywords: Privacy and security, Adversarial machine learning, Secured ML Architecture, ML-Filter, Statistical Perturbation Bounds Identification Algorithm

show abstract

“…Adversarial examples [78], i.e., nearly imperceptibly perturbed inputs causing misclassification, consider an adversarial environment where potential attackers can actively manipulate inputs. This has been shown to be possible in the white-box setting, with full access to the DNN, e.g., [20], [79], [80], [81], [82], as well as in the black-box setting, without access to DNN weights and gradients, e.g., [83], [84], [85], [86]. Such attacks are also transferable between models [87] and can be applied in the physical world [88], [89].…”

Section: Related Workmentioning

confidence: 99%

Random and Adversarial Bit Error Robustness: Energy-Efficient and Secure DNN Accelerators

Stutz¹,

Chandramoorthy²,

Hein³

et al. 2021

Preprint

View full text Add to dashboard Cite

Deep neural network (DNN) accelerators received considerable attention in recent years due to the potential to save energy compared to mainstream hardware. Low-voltage operation of DNN accelerators allows to further reduce energy consumption significantly, however, causes bit-level failures in the memory storing the quantized DNN weights. Furthermore, DNN accelerators have been shown to be vulnerable to adversarial attacks on voltage controllers or individual bits. In this paper, we show that a combination of robust fixed-point quantization, weight clipping, as well as random bit error training (RANDBET) or adversarial bit error training (ADVBET) improves robustness against random or adversarial bit errors in quantized DNN weights significantly. This leads not only to high energy savings for low-voltage operation as well as low-precision quantization, but also improves security of DNN accelerators. Our approach generalizes across operating voltages and accelerators, as demonstrated on bit errors from profiled SRAM arrays, and achieves robustness against both targeted and untargeted bit-level attacks. Without losing more than 0.8%/2% in test accuracy, we can reduce energy consumption on CIFAR10 by 20%/30% for 8/4-bit quantization using RANDBET. Allowing up to 320 adversarial bit errors, ADVBET reduces test error from above 90% (chance level) to 26.22% on CIFAR10.

show abstract

Witchcraft: Efficient PGD Attacks with Random Step Size

Cited by 9 publications

References 6 publications

Strong Data Augmentation Sanitizes Poisoning and Backdoor Attacks Without an Accuracy Tradeoff

Strong Data Augmentation Sanitizes Poisoning and Backdoor Attacks Without an Accuracy Tradeoff

Mitigating Gradient-Based Data Poisoning Attacks on Machine Learning Models: A Statistical Detection Method

Random and Adversarial Bit Error Robustness: Energy-Efficient and Secure DNN Accelerators

Contact Info

Product

Resources

About