Attack as Defense: Characterizing Adversarial Examples using Robustness
- URL: http://arxiv.org/abs/2103.07633v1
- Date: Sat, 13 Mar 2021 06:29:13 GMT
- Title: Attack as Defense: Characterizing Adversarial Examples using Robustness
- Authors: Zhe Zhao, Guangke Chen, Jingyi Wang, Yiwei Yang, Fu Song, Jun Sun
- Abstract summary: We propose a novel defense framework named attack as defense (A2D) to detect adversarial examples.
A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial.
Experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches.
- Score: 9.020456982421958
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: As a new programming paradigm, deep learning has expanded its application to
many real-world problems. At the same time, deep learning based software are
found to be vulnerable to adversarial attacks. Though various defense
mechanisms have been proposed to improve robustness of deep learning software,
many of them are ineffective against adaptive attacks. In this work, we propose
a novel characterization to distinguish adversarial examples from benign ones
based on the observation that adversarial examples are significantly less
robust than benign ones. As existing robustness measurement does not scale to
large networks, we propose a novel defense framework, named attack as defense
(A2D), to detect adversarial examples by effectively evaluating an example's
robustness. A2D uses the cost of attacking an input for robustness evaluation
and identifies those less robust examples as adversarial since less robust
examples are easier to attack. Extensive experiment results on MNIST, CIFAR10
and ImageNet show that A2D is more effective than recent promising approaches.
We also evaluate our defence against potential adaptive attacks and show that
A2D is effective in defending carefully designed adaptive attacks, e.g., the
attack success rate drops to 0% on CIFAR10.
Related papers
- Meta Invariance Defense Towards Generalizable Robustness to Unknown Adversarial Attacks [62.036798488144306]
Current defense mainly focuses on the known attacks, but the adversarial robustness to the unknown attacks is seriously overlooked.
We propose an attack-agnostic defense method named Meta Invariance Defense (MID)
We show that MID simultaneously achieves robustness to the imperceptible adversarial perturbations in high-level image classification and attack-suppression in low-level robust image regeneration.
arXiv Detail & Related papers (2024-04-04T10:10:38Z) - Improving behavior based authentication against adversarial attack using XAI [3.340314613771868]
We propose an eXplainable AI (XAI) based defense strategy against adversarial attacks in such scenarios.
A feature selector, trained with our method, can be used as a filter in front of the original authenticator.
We demonstrate that our XAI based defense strategy is effective against adversarial attacks and outperforms other defense strategies.
arXiv Detail & Related papers (2024-02-26T09:29:05Z) - Benchmarking and Analyzing Robust Point Cloud Recognition: Bag of Tricks
for Defending Adversarial Examples [25.029854308139853]
adversarial examples on 3D point clouds make them more challenging to defend against than those on 2D images.
In this paper, we first establish a comprehensive, and rigorous point cloud adversarial robustness benchmark.
We then perform extensive and systematic experiments to identify an effective combination of these tricks.
We construct a more robust defense framework achieving an average accuracy of 83.45% against various attacks.
arXiv Detail & Related papers (2023-07-31T01:34:24Z) - On Trace of PGD-Like Adversarial Attacks [77.75152218980605]
Adversarial attacks pose safety and security concerns for deep learning applications.
We construct Adrial Response Characteristics (ARC) features to reflect the model's gradient consistency.
Our method is intuitive, light-weighted, non-intrusive, and data-undemanding.
arXiv Detail & Related papers (2022-05-19T14:26:50Z) - Model-Agnostic Meta-Attack: Towards Reliable Evaluation of Adversarial
Robustness [53.094682754683255]
We propose a Model-Agnostic Meta-Attack (MAMA) approach to discover stronger attack algorithms automatically.
Our method learns the in adversarial attacks parameterized by a recurrent neural network.
We develop a model-agnostic training algorithm to improve the ability of the learned when attacking unseen defenses.
arXiv Detail & Related papers (2021-10-13T13:54:24Z) - Adaptive Feature Alignment for Adversarial Training [56.17654691470554]
CNNs are typically vulnerable to adversarial attacks, which pose a threat to security-sensitive applications.
We propose the adaptive feature alignment (AFA) to generate features of arbitrary attacking strengths.
Our method is trained to automatically align features of arbitrary attacking strength.
arXiv Detail & Related papers (2021-05-31T17:01:05Z) - Are Adversarial Examples Created Equal? A Learnable Weighted Minimax
Risk for Robustness under Non-uniform Attacks [70.11599738647963]
Adversarial Training is one of the few defenses that withstand strong attacks.
Traditional defense mechanisms assume a uniform attack over the examples according to the underlying data distribution.
We present a weighted minimax risk optimization that defends against non-uniform attacks.
arXiv Detail & Related papers (2020-10-24T21:20:35Z) - Reliable evaluation of adversarial robustness with an ensemble of
diverse parameter-free attacks [65.20660287833537]
In this paper we propose two extensions of the PGD-attack overcoming failures due to suboptimal step size and problems of the objective function.
We then combine our novel attacks with two complementary existing ones to form a parameter-free, computationally affordable and user-independent ensemble of attacks to test adversarial robustness.
arXiv Detail & Related papers (2020-03-03T18:15:55Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.