On the Limitations of Denoising Strategies as Adversarial Defenses

• URL: http://arxiv.org/abs/2012.09384v1
• Date: Thu, 17 Dec 2020 03:54:30 GMT
• Title: On the Limitations of Denoising Strategies as Adversarial Defenses
• Authors: Zhonghan Niu, Zhaoxi Chen, Linyi Li, Yubin Yang, Bo Li, Jinfeng Yi
• Abstract summary: adversarial attacks against machine learning models have raised increasing concerns. In this paper, we analyze the defense strategies in the form of symmetric transformation via data denoising and reconstruction. Experiment results show that the adaptive compression strategies enable the model to better suppress adversarial perturbations.
• Score: 29.73831728610021
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: As adversarial attacks against machine learning models have raised increasing concerns, many denoising-based defense approaches have been proposed. In this paper, we summarize and analyze the defense strategies in the form of symmetric transformation via data denoising and reconstruction (denoted as $F+$ inverse $F$, $F-IF$ Framework). In particular, we categorize these denoising strategies from three aspects (i.e. denoising in the spatial domain, frequency domain, and latent space, respectively). Typically, defense is performed on the entire adversarial example, both image and perturbation are modified, making it difficult to tell how it defends against the perturbations. To evaluate the robustness of these denoising strategies intuitively, we directly apply them to defend against adversarial noise itself (assuming we have obtained all of it), which saving us from sacrificing benign accuracy. Surprisingly, our experimental results show that even if most of the perturbations in each dimension is eliminated, it is still difficult to obtain satisfactory robustness. Based on the above findings and analyses, we propose the adaptive compression strategy for different frequency bands in the feature domain to improve the robustness. Our experiment results show that the adaptive compression strategies enable the model to better suppress adversarial perturbations, and improve robustness compared with existing denoising strategies.

Related papers

• Heteroscedastic Uncertainty Estimation Framework for Unsupervised Registration [32.081258147692395]
  We propose a framework for heteroscedastic image uncertainty estimation. It can adaptively reduce the influence of regions with high uncertainty during unsupervised registration. Our method consistently outperforms baselines and produces sensible uncertainty estimates.
  arXiv  Detail & Related papers  (2023-12-01T01:03:06Z)
• ODDR: Outlier Detection & Dimension Reduction Based Defense Against Adversarial Patches [4.4100683691177816]
  Adversarial attacks present a significant challenge to the dependable deployment of machine learning models. We propose Outlier Detection and Dimension Reduction (ODDR), a comprehensive defense strategy to counteract patch-based adversarial attacks. Our approach is based on the observation that input features corresponding to adversarial patches can be identified as outliers.
  arXiv  Detail & Related papers  (2023-11-20T11:08:06Z)
• Improve Noise Tolerance of Robust Loss via Noise-Awareness [60.34670515595074]
  We propose a meta-learning method which is capable of adaptively learning a hyper parameter prediction function, called Noise-Aware-Robust-Loss-Adjuster (NARL-Adjuster for brevity) Four SOTA robust loss functions are attempted to be integrated with our algorithm, and comprehensive experiments substantiate the general availability and effectiveness of the proposed method in both its noise tolerance and performance.
  arXiv  Detail & Related papers  (2023-01-18T04:54:58Z)
• Ada3Diff: Defending against 3D Adversarial Point Clouds via Adaptive Diffusion [70.60038549155485]
  Deep 3D point cloud models are sensitive to adversarial attacks, which poses threats to safety-critical applications such as autonomous driving. This paper introduces a novel distortion-aware defense framework that can rebuild the pristine data distribution with a tailored intensity estimator and a diffusion model.
  arXiv  Detail & Related papers  (2022-11-29T14:32:43Z)
• Towards Adversarially Robust Deep Image Denoising [199.2458715635285]
  This work systematically investigates the adversarial robustness of deep image denoisers (DIDs) We propose a novel adversarial attack, namely Observation-based Zero-mean Attack (sc ObsAtk) to craft adversarial zero-mean perturbations on given noisy images. To robustify DIDs, we propose hybrid adversarial training (sc HAT) that jointly trains DIDs with adversarial and non-adversarial noisy data.
  arXiv  Detail & Related papers  (2022-01-12T10:23:14Z)
• Improving White-box Robustness of Pre-processing Defenses via Joint Adversarial Training [106.34722726264522]
  A range of adversarial defense techniques have been proposed to mitigate the interference of adversarial noise. Pre-processing methods may suffer from the robustness degradation effect. A potential cause of this negative effect is that adversarial training examples are static and independent to the pre-processing model. We propose a method called Joint Adversarial Training based Pre-processing (JATP) defense.
  arXiv  Detail & Related papers  (2021-06-10T01:45:32Z)
• Removing Adversarial Noise in Class Activation Feature Space [160.78488162713498]
  We propose to remove adversarial noise by implementing a self-supervised adversarial training mechanism in a class activation feature space. We train a denoising model to minimize the distances between the adversarial examples and the natural examples in the class activation feature space. Empirical evaluations demonstrate that our method could significantly enhance adversarial robustness in comparison to previous state-of-the-art approaches.
  arXiv  Detail & Related papers  (2021-04-19T10:42:24Z)
• Towards Robust Speech-to-Text Adversarial Attack [78.5097679815944]
  This paper introduces a novel adversarial algorithm for attacking the state-of-the-art speech-to-text systems, namely DeepSpeech, Kaldi, and Lingvo. Our approach is based on developing an extension for the conventional distortion condition of the adversarial optimization formulation. Minimizing over this metric, which measures the discrepancies between original and adversarial samples' distributions, contributes to crafting signals very close to the subspace of legitimate speech recordings.
  arXiv  Detail & Related papers  (2021-03-15T01:51:41Z)
• From a Fourier-Domain Perspective on Adversarial Examples to a Wiener Filter Defense for Semantic Segmentation [27.04820989579924]
  deep neural networks are not robust against adversarial perturbations. In this work, we study the adversarial problem from a frequency domain perspective. We propose an adversarial defense method based on the well-known Wiener filters.
  arXiv  Detail & Related papers  (2020-12-02T22:06:04Z)
• Adversarial attacks on audio source separation [26.717340178640498]
  We reformulate various adversarial attack methods for the audio source separation problem. We propose a simple yet effective regularization method to obtain imperceptible adversarial noise. We also show the robustness of source separation models against a black-box attack.
  arXiv  Detail & Related papers  (2020-10-07T05:02:21Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.