Related papers: Adversarial Robustness by Design through Analog Computing and Synthetic Gradients

Adversarial Robustness by Design through Analog Computing and Synthetic Gradients

URL: http://arxiv.org/abs/2101.02115v1
Date: Wed, 6 Jan 2021 16:15:29 GMT
Title: Adversarial Robustness by Design through Analog Computing and Synthetic Gradients
Authors: Alessandro Cappelli, Ruben Ohana, Julien Launay, Laurent Meunier, Iacopo Poli, Florent Krzakala
Abstract summary: We propose a new defense mechanism against adversarial attacks inspired by an optical co-processor. In the white-box setting, our defense works by obfuscating the parameters of the random projection. We find the combination of a random projection and binarization in the optical system also improves robustness against various types of black-box attacks.
Score: 80.60080084042666
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: We propose a new defense mechanism against adversarial attacks inspired by an optical co-processor, providing robustness without compromising natural accuracy in both white-box and black-box settings. This hardware co-processor performs a nonlinear fixed random transformation, where the parameters are unknown and impossible to retrieve with sufficient precision for large enough dimensions. In the white-box setting, our defense works by obfuscating the parameters of the random projection. Unlike other defenses relying on obfuscated gradients, we find we are unable to build a reliable backward differentiable approximation for obfuscated parameters. Moreover, while our model reaches a good natural accuracy with a hybrid backpropagation - synthetic gradient method, the same approach is suboptimal if employed to generate adversarial examples. We find the combination of a random projection and binarization in the optical system also improves robustness against various types of black-box attacks. Finally, our hybrid training method builds robust features against transfer attacks. We demonstrate our approach on a VGG-like architecture, placing the defense on top of the convolutional features, on CIFAR-10 and CIFAR-100. Code is available at https://github.com/lightonai/adversarial-robustness-by-design.

Related papers

A Curious Case of Remarkable Resilience to Gradient Attacks via Fully Convolutional and Differentiable Front End with a Skip Connection [5.030787492485122]
gradient masking phenomenon is not new, but the degree of masking was quite remarkable for fully differentiable models. Black box attacks can be partially effective against gradient masking, but they are easily defeated by combining models into randomized ensembles.
arXiv Detail & Related papers (2024-02-26T20:55:47Z)
PuriDefense: Randomized Local Implicit Adversarial Purification for Defending Black-box Query-based Attacks [15.842917276255141]
Black-box query-based attacks threaten Machine Learning as a Service (ML) systems. We propose an efficient defense mechanism, PuriDefense, that employs random patch-wise purifications with an ensemble of lightweight purification models at a low level of inference cost. Our theoretical analysis suggests that this approach slows down the convergence of query-based attacks by incorporating randomness into purifications.
arXiv Detail & Related papers (2024-01-19T09:54:23Z)
How to Robustify Black-Box ML Models? A Zeroth-Order Optimization Perspective [74.47093382436823]
We address the problem of black-box defense: How to robustify a black-box model using just input queries and output feedback? We propose a general notion of defensive operation that can be applied to black-box models, and design it through the lens of denoised smoothing (DS) We empirically show that ZO-AE-DS can achieve improved accuracy, certified robustness, and query complexity over existing baselines.
arXiv Detail & Related papers (2022-03-27T03:23:32Z)
Adversarially Robust Classification by Conditional Generative Model Inversion [4.913248451323163]
We propose a classification model that does not obfuscate gradients and is robust by construction without assuming prior knowledge about the attack. Our method casts classification as an optimization problem where we "invert" a conditional generator trained on unperturbed, natural images. We demonstrate that our model is extremely robust against black-box attacks and has improved robustness against white-box attacks.
arXiv Detail & Related papers (2022-01-12T23:11:16Z)
ROPUST: Improving Robustness through Fine-tuning with Photonic Processors and Synthetic Gradients [65.52888259961803]
We introduce ROPUST, a simple and efficient method to leverage robust pre-trained models and increase their robustness. We test our method on nine different models against four attacks in RobustBench, consistently improving over state-of-the-art performance. We show that even with state-of-the-art phase retrieval techniques, ROPUST remains an effective defense.
arXiv Detail & Related papers (2021-07-06T12:03:36Z)
Adaptive Feature Alignment for Adversarial Training [56.17654691470554]
CNNs are typically vulnerable to adversarial attacks, which pose a threat to security-sensitive applications. We propose the adaptive feature alignment (AFA) to generate features of arbitrary attacking strengths. Our method is trained to automatically align features of arbitrary attacking strength.
arXiv Detail & Related papers (2021-05-31T17:01:05Z)
Transferable Sparse Adversarial Attack [62.134905824604104]
We introduce a generator architecture to alleviate the overfitting issue and thus efficiently craft transferable sparse adversarial examples. Our method achieves superior inference speed, 700$times$ faster than other optimization-based methods.
arXiv Detail & Related papers (2021-05-31T06:44:58Z)
Targeted Attack against Deep Neural Networks via Flipping Limited Weight Bits [55.740716446995805]
We study a novel attack paradigm, which modifies model parameters in the deployment stage for malicious purposes. Our goal is to misclassify a specific sample into a target class without any sample modification. By utilizing the latest technique in integer programming, we equivalently reformulate this BIP problem as a continuous optimization problem.
arXiv Detail & Related papers (2021-02-21T03:13:27Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.