You Only Propagate Once: Accelerating Adversarial Training via Maximal Principle

Zhang, Dinghuai; Zhang, Tianyuan; Lu, Yiping; Zhu, Zhanxing; Dong, Biao

doi:10.48550/arxiv.1905.00877

Cited by 44 publications

(65 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Due to SISR being a regression task, we can only compare our adversarial attack with FGSM (Goodfellow, Shlens, and Szegedy 2015) and PGD (Madry et al 2018), since the more recent alternatives, such as TRADES (Zhang et al 2019b) and YOPO (Zhang et al 2019a), are tailored for classification tasks.…”

Section: Methodsmentioning

confidence: 99%

Robust Unpaired Single Image Super-Resolution of Faces

Goswami¹,

A.N²

2022

Preprint

View full text Add to dashboard Cite

We propose an adversarial attack for facial class-specific Single Image Super-Resolution (SISR) methods. Existing attacks, such as the Fast Gradient Sign Method (FGSM) or the Projected Gradient Descent (PGD) method, are either fast but ineffective, or effective but prohibitively slow on these networks. By closely inspecting the surface that the MSE loss, used to train such networks, traces under varying degradations, we were able to identify its parameterizable property. We leverage this property to propose an adverasrial attack that is able to locate the optimum degradation (effective) without needing multiple gradient-ascent steps (fast). Our experiments show that the proposed method is able to achieve a better speed vs effectiveness trade-off than the state-of-theart adversarial attacks, such as FGSM and PGD, for the task of unpaired facial as well as class-specific SISR.

show abstract

Section: Methodsmentioning

confidence: 99%

Robust Unpaired Single Image Super-Resolution of Faces

Goswami¹,

A.N²

2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Existing adversarial defense methods can be roughly divided into two classes: attacking stage defense and testing stage defense. The adversarial training [41,62,51,28] is an effective way to improve model's robustness, which have two stages defense effect. There are other defense methods have two stages defense effect.…”

Section: Related Workmentioning

confidence: 99%

The art of defense: letting networks fool the attacker

Zhang¹,

Liu²,

Chen³

et al. 2021

Preprint

View full text Add to dashboard Cite

Some deep neural networks are invariant to some input transformations, such as Pointnet [35] is permutation invariant to the input point cloud. In this paper, we demonstrated this property can be powerful in the defense of gradient based attacks. Specifically, we apply random input transformation which is invariant to networks we want to defend. Extensive experiments demonstrate that the proposed scheme outperforms the state-of-the-art defense methods, and breaking the attack accuracy into nearly zero. Our code is available at: https://github. com/cuge1995/IT-Defense.

show abstract

“…Madry et al [10] developed it by training deep models with stronger adversaries generated by PGD. Subsequent works mainly focus on accelerating training [27], [28] and improving the resistance [29], [30], [31]. Zhang et al [32] characterized the trade-off between accuracy and robustness and proposed TRADES, which optimizes a regularized surrogate loss to improve the adversarial robustness of DNNs.…”

Section: B Adversarial Trainingmentioning

confidence: 99%

Tightening the Approximation Error of Adversarial Risk with Auto Loss Function Search

Xia¹,

Li²,

Li³

2021

Preprint

View full text Add to dashboard Cite

Numerous studies have demonstrated that deep neural networks are easily misled by adversarial examples. Effectively evaluating the adversarial robustness of a model is important for its deployment in practical applications. Currently, a common type of evaluation is to approximate the adversarial risk of a model as a robustness indicator by constructing malicious instances and executing attacks. Unfortunately, there is an error (gap) between the approximate value and the true value. Previous studies manually design attack methods to achieve a smaller error, which is inefficient and may miss a better solution.In this paper, we establish the tightening of the approximation error as an optimization problem and try to solve it with an algorithm. More specifically, we first analyze that replacing the non-convex and discontinuous 0-1 loss with a surrogate loss, a necessary compromise in calculating the approximation, is one of the main reasons for the error. Then we propose AutoLoss-AR, the first method for searching loss functions for tightening the approximation error of adversarial risk. Extensive experiments are conducted in multiple settings. The results demonstrate the effectiveness of the proposed method: the best-discovered loss functions outperform the handcrafted baseline by 0.9%-2.9% and 0.7%-2.0% on MNIST and CIFAR-10, respectively. Besides, we also verify that the searched losses can be transferred to other settings and explore why they are better than the baseline by visualizing the local loss landscape.

show abstract

You Only Propagate Once: Accelerating Adversarial Training via Maximal Principle

Cited by 44 publications

References 22 publications

Robust Unpaired Single Image Super-Resolution of Faces

Robust Unpaired Single Image Super-Resolution of Faces

The art of defense: letting networks fool the attacker

Tightening the Approximation Error of Adversarial Risk with Auto Loss Function Search

Contact Info

Product

Resources

About