Where Does the Robustness Come from? A Study of the Transformation-based Ensemble Defence

• URL: http://arxiv.org/abs/2009.13033v2
• Date: Thu, 8 Oct 2020 09:16:18 GMT
• Title: Where Does the Robustness Come from? A Study of the Transformation-based Ensemble Defence
• Authors: Chang Liao, Yao Cheng, Chengfang Fang, Jie Shi
• Abstract summary: It is not clear whether the robustness improvement is a result of transformation or ensemble. We conduct experiments to show that 1) the transferability of adversarial examples exists among the models trained on data records after different reversible transformations; 2) the robustness gained through transformation-based ensemble is limited; and 3) this limited robustness is mainly from the irreversible transformations rather than the ensemble of a number of models.
• Score: 12.973226757056462
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: This paper aims to provide a thorough study on the effectiveness of the transformation-based ensemble defence for image classification and its reasons. It has been empirically shown that they can enhance the robustness against evasion attacks, while there is little analysis on the reasons. In particular, it is not clear whether the robustness improvement is a result of transformation or ensemble. In this paper, we design two adaptive attacks to better evaluate the transformation-based ensemble defence. We conduct experiments to show that 1) the transferability of adversarial examples exists among the models trained on data records after different reversible transformations; 2) the robustness gained through transformation-based ensemble is limited; 3) this limited robustness is mainly from the irreversible transformations rather than the ensemble of a number of models; and 4) blindly increasing the number of sub-models in a transformation-based ensemble does not bring extra robustness gain.

Related papers

• Transformation-Dependent Adversarial Attacks [15.374381635334897]
  We introduce transformation-dependent adversarial attacks, a new class of threats where a single additive perturbation can trigger diverse, controllable mis-predictions. Unlike traditional attacks with static effects, our perturbations embed metamorphic properties to enable different adversarial attacks as a function of the transformation parameters.
  arXiv  Detail & Related papers  (2024-06-12T17:31:36Z)
• RBFormer: Improve Adversarial Robustness of Transformer by Robust Bias [18.705151702198854]
  Introducing adversarial examples as a robustness consideration has had a profound and detrimental impact on the performance of well-established convolution-based structures. In this paper, we employ a rational structure design approach to mitigate such vulnerabilities. We introduce a novel structure called Robust Bias Transformer-based Structure (RBFormer) that shows robust superiority compared to several existing baseline structures.
  arXiv  Detail & Related papers  (2023-09-23T03:55:51Z)
• Benchmarking Robustness of Adaptation Methods on Pre-trained Vision-Language Models [49.595973365500775]
  We assess the robustness of 11 widely-used adaptation methods across 4 vision-language datasets under multimodal corruptions. Our analysis reveals that: 1) Adaptation methods are more sensitive to text corruptions than visual corruptions. Contrary to expectations, our findings indicate that increasing the number of adaptation data and parameters does not guarantee enhanced robustness.
  arXiv  Detail & Related papers  (2023-06-03T11:05:04Z)
• Improving Adversarial Robustness to Sensitivity and Invariance Attacks with Deep Metric Learning [80.21709045433096]
  A standard method in adversarial robustness assumes a framework to defend against samples crafted by minimally perturbing a sample. We use metric learning to frame adversarial regularization as an optimal transport problem. Our preliminary results indicate that regularizing over invariant perturbations in our framework improves both invariant and sensitivity defense.
  arXiv  Detail & Related papers  (2022-11-04T13:54:02Z)
• GSmooth: Certified Robustness against Semantic Transformations via Generalized Randomized Smoothing [40.38555458216436]
  We propose a unified theoretical framework for certifying robustness against general semantic transformations. Under the GSmooth framework, we present a scalable algorithm that uses a surrogate image-to-image network to approximate the complex transformation.
  arXiv  Detail & Related papers  (2022-06-09T07:12:17Z)
• An Intermediate-level Attack Framework on The Basis of Linear Regression [89.85593878754571]
  This paper substantially extends our work published at ECCV, in which an intermediate-level attack was proposed to improve the transferability of some baseline adversarial examples. We advocate to establish a direct linear mapping from the intermediate-level discrepancies (between adversarial features and benign features) to classification prediction loss of the adversarial example. We show that 1) a variety of linear regression models can all be considered in order to establish the mapping, 2) the magnitude of the finally obtained intermediate-level discrepancy is linearly correlated with adversarial transferability, and 3) further boost of the performance can be achieved by performing multiple runs of the baseline attack with
  arXiv  Detail & Related papers  (2022-03-21T03:54:53Z)
• Towards Robust and Adaptive Motion Forecasting: A Causal Representation Perspective [72.55093886515824]
  We introduce a causal formalism of motion forecasting, which casts the problem as a dynamic process with three groups of latent variables. We devise a modular architecture that factorizes the representations of invariant mechanisms and style confounders to approximate a causal graph. Experiment results on synthetic and real datasets show that our three proposed components significantly improve the robustness and reusability of the learned motion representations.
  arXiv  Detail & Related papers  (2021-11-29T18:59:09Z)
• Adaptive Image Transformations for Transfer-based Adversarial Attack [73.74904401540743]
  We propose a novel architecture, called Adaptive Image Transformation Learner (AITL) Our elaborately designed learner adaptively selects the most effective combination of image transformations specific to the input image. Our method significantly improves the attack success rates on both normally trained models and defense models under various settings.
  arXiv  Detail & Related papers  (2021-11-27T08:15:44Z)
• Adaptive Feature Alignment for Adversarial Training [56.17654691470554]
  CNNs are typically vulnerable to adversarial attacks, which pose a threat to security-sensitive applications. We propose the adaptive feature alignment (AFA) to generate features of arbitrary attacking strengths. Our method is trained to automatically align features of arbitrary attacking strength.
  arXiv  Detail & Related papers  (2021-05-31T17:01:05Z)
• Data Augmentation via Structured Adversarial Perturbations [25.31035665982414]
  We propose a method to generate adversarial examples that maintain some desired natural structure. We demonstrate this approach through two types of image transformations: photometric and geometric.
  arXiv  Detail & Related papers  (2020-11-05T18:07:55Z)
• TREND: Transferability based Robust ENsemble Design [6.663641564969944]
  We study the effect of network architecture, input, weight and activation quantization on transferability of adversarial samples. We show that transferability is significantly hampered by input quantization between source and target. We propose a new state-of-the-art ensemble attack to combat this.
  arXiv  Detail & Related papers  (2020-08-04T13:38:14Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.