Formulating Robustness Against Unforeseen Attacks
- URL: http://arxiv.org/abs/2204.13779v1
- Date: Thu, 28 Apr 2022 21:03:36 GMT
- Title: Formulating Robustness Against Unforeseen Attacks
- Authors: Sihui Dai, Saeed Mahloujifar, Prateek Mittal
- Abstract summary: This paper focuses on the scenario where there is a mismatch in the threat model assumed by the defense during training.
We ask the question: if the learner trains against a specific "source" threat model, when can we expect robustness to generalize to a stronger unknown "target" threat model during test-time?
We propose adversarial training with variation regularization (AT-VR) which reduces variation of the feature extractor across the source threat model during training.
- Score: 34.302333899025044
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Existing defenses against adversarial examples such as adversarial training
typically assume that the adversary will conform to a specific or known threat
model, such as $\ell_p$ perturbations within a fixed budget. In this paper, we
focus on the scenario where there is a mismatch in the threat model assumed by
the defense during training, and the actual capabilities of the adversary at
test time. We ask the question: if the learner trains against a specific
"source" threat model, when can we expect robustness to generalize to a
stronger unknown "target" threat model during test-time? Our key contribution
is to formally define the problem of learning and generalization with an
unforeseen adversary, which helps us reason about the increase in adversarial
risk from the conventional perspective of a known adversary. Applying our
framework, we derive a generalization bound which relates the generalization
gap between source and target threat models to variation of the feature
extractor, which measures the expected maximum difference between extracted
features across a given threat model. Based on our generalization bound, we
propose adversarial training with variation regularization (AT-VR) which
reduces variation of the feature extractor across the source threat model
during training. We empirically demonstrate that AT-VR can lead to improved
generalization to unforeseen attacks during test-time compared to standard
adversarial training on Gaussian and image datasets.
Related papers
- Meta Invariance Defense Towards Generalizable Robustness to Unknown Adversarial Attacks [62.036798488144306]
Current defense mainly focuses on the known attacks, but the adversarial robustness to the unknown attacks is seriously overlooked.
We propose an attack-agnostic defense method named Meta Invariance Defense (MID)
We show that MID simultaneously achieves robustness to the imperceptible adversarial perturbations in high-level image classification and attack-suppression in low-level robust image regeneration.
arXiv Detail & Related papers (2024-04-04T10:10:38Z) - Consistent Valid Physically-Realizable Adversarial Attack against
Crowd-flow Prediction Models [4.286570387250455]
deep learning (DL) models can effectively learn city-wide crowd-flow patterns.
DL models have been known to perform poorly on inconspicuous adversarial perturbations.
arXiv Detail & Related papers (2023-03-05T13:30:25Z) - Self-Ensemble Adversarial Training for Improved Robustness [14.244311026737666]
Adversarial training is the strongest strategy against various adversarial attacks among all sorts of defense methods.
Recent works mainly focus on developing new loss functions or regularizers, attempting to find the unique optimal point in the weight space.
We devise a simple but powerful emphSelf-Ensemble Adversarial Training (SEAT) method for yielding a robust classifier by averaging weights of history models.
arXiv Detail & Related papers (2022-03-18T01:12:18Z) - Interpolated Joint Space Adversarial Training for Robust and
Generalizable Defenses [82.3052187788609]
Adversarial training (AT) is considered to be one of the most reliable defenses against adversarial attacks.
Recent works show generalization improvement with adversarial samples under novel threat models.
We propose a novel threat model called Joint Space Threat Model (JSTM)
Under JSTM, we develop novel adversarial attacks and defenses.
arXiv Detail & Related papers (2021-12-12T21:08:14Z) - Adversarial Visual Robustness by Causal Intervention [56.766342028800445]
Adversarial training is the de facto most promising defense against adversarial examples.
Yet, its passive nature inevitably prevents it from being immune to unknown attackers.
We provide a causal viewpoint of adversarial vulnerability: the cause is the confounder ubiquitously existing in learning.
arXiv Detail & Related papers (2021-06-17T14:23:54Z) - Localized Uncertainty Attacks [9.36341602283533]
We present localized uncertainty attacks against deep learning models.
We create adversarial examples by perturbing only regions in the inputs where a classifier is uncertain.
Unlike $ell_p$ ball or functional attacks which perturb inputs indiscriminately, our targeted changes can be less perceptible.
arXiv Detail & Related papers (2021-06-17T03:07:22Z) - Towards Defending against Adversarial Examples via Attack-Invariant
Features [147.85346057241605]
Deep neural networks (DNNs) are vulnerable to adversarial noise.
adversarial robustness can be improved by exploiting adversarial examples.
Models trained on seen types of adversarial examples generally cannot generalize well to unseen types of adversarial examples.
arXiv Detail & Related papers (2021-06-09T12:49:54Z) - Adaptive Feature Alignment for Adversarial Training [56.17654691470554]
CNNs are typically vulnerable to adversarial attacks, which pose a threat to security-sensitive applications.
We propose the adaptive feature alignment (AFA) to generate features of arbitrary attacking strengths.
Our method is trained to automatically align features of arbitrary attacking strength.
arXiv Detail & Related papers (2021-05-31T17:01:05Z) - Learning and Certification under Instance-targeted Poisoning [49.55596073963654]
We study PAC learnability and certification under instance-targeted poisoning attacks.
We show that when the budget of the adversary scales sublinearly with the sample complexity, PAC learnability and certification are achievable.
We empirically study the robustness of K nearest neighbour, logistic regression, multi-layer perceptron, and convolutional neural network on real data sets.
arXiv Detail & Related papers (2021-05-18T17:48:15Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.