Adversarial Vulnerability of Randomized Ensembles
- URL: http://arxiv.org/abs/2206.06737v1
- Date: Tue, 14 Jun 2022 10:37:58 GMT
- Title: Adversarial Vulnerability of Randomized Ensembles
- Authors: Hassan Dbouk, Naresh R. Shanbhag
- Abstract summary: We show that randomized ensembles are more vulnerable to imperceptible adversarial perturbations than even standard AT models.
We propose a theoretically-sound and efficient adversarial attack algorithm (ARC) capable of compromising random ensembles even in cases where adaptive PGD fails to do so.
- Score: 12.082239973914326
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Despite the tremendous success of deep neural networks across various tasks,
their vulnerability to imperceptible adversarial perturbations has hindered
their deployment in the real world. Recently, works on randomized ensembles
have empirically demonstrated significant improvements in adversarial
robustness over standard adversarially trained (AT) models with minimal
computational overhead, making them a promising solution for safety-critical
resource-constrained applications. However, this impressive performance raises
the question: Are these robustness gains provided by randomized ensembles real?
In this work we address this question both theoretically and empirically. We
first establish theoretically that commonly employed robustness evaluation
methods such as adaptive PGD provide a false sense of security in this setting.
Subsequently, we propose a theoretically-sound and efficient adversarial attack
algorithm (ARC) capable of compromising random ensembles even in cases where
adaptive PGD fails to do so. We conduct comprehensive experiments across a
variety of network architectures, training schemes, datasets, and norms to
support our claims, and empirically establish that randomized ensembles are in
fact more vulnerable to $\ell_p$-bounded adversarial perturbations than even
standard AT models. Our code can be found at https://github.com/hsndbk4/ARC.
Related papers
- Doubly Robust Instance-Reweighted Adversarial Training [107.40683655362285]
We propose a novel doubly-robust instance reweighted adversarial framework.
Our importance weights are obtained by optimizing the KL-divergence regularized loss function.
Our proposed approach outperforms related state-of-the-art baseline methods in terms of average robust performance.
arXiv Detail & Related papers (2023-08-01T06:16:18Z) - Distributed Adversarial Training to Robustify Deep Neural Networks at
Scale [100.19539096465101]
Current deep neural networks (DNNs) are vulnerable to adversarial attacks, where adversarial perturbations to the inputs can change or manipulate classification.
To defend against such attacks, an effective approach, known as adversarial training (AT), has been shown to mitigate robust training.
We propose a large-batch adversarial training framework implemented over multiple machines.
arXiv Detail & Related papers (2022-06-13T15:39:43Z) - A Unified Wasserstein Distributional Robustness Framework for
Adversarial Training [24.411703133156394]
This paper presents a unified framework that connects Wasserstein distributional robustness with current state-of-the-art AT methods.
We introduce a new Wasserstein cost function and a new series of risk functions, with which we show that standard AT methods are special cases of their counterparts in our framework.
This connection leads to an intuitive relaxation and generalization of existing AT methods and facilitates the development of a new family of distributional robustness AT-based algorithms.
arXiv Detail & Related papers (2022-02-27T19:40:29Z) - Robust Binary Models by Pruning Randomly-initialized Networks [57.03100916030444]
We propose ways to obtain robust models against adversarial attacks from randomly-d binary networks.
We learn the structure of the robust model by pruning a randomly-d binary network.
Our method confirms the strong lottery ticket hypothesis in the presence of adversarial attacks.
arXiv Detail & Related papers (2022-02-03T00:05:08Z) - CC-Cert: A Probabilistic Approach to Certify General Robustness of
Neural Networks [58.29502185344086]
In safety-critical machine learning applications, it is crucial to defend models against adversarial attacks.
It is important to provide provable guarantees for deep learning models against semantically meaningful input transformations.
We propose a new universal probabilistic certification approach based on Chernoff-Cramer bounds.
arXiv Detail & Related papers (2021-09-22T12:46:04Z) - Policy Smoothing for Provably Robust Reinforcement Learning [109.90239627115336]
We study the provable robustness of reinforcement learning against norm-bounded adversarial perturbations of the inputs.
We generate certificates that guarantee that the total reward obtained by the smoothed policy will not fall below a certain threshold under a norm-bounded adversarial of perturbation the input.
arXiv Detail & Related papers (2021-06-21T21:42:08Z) - Jacobian Regularization for Mitigating Universal Adversarial
Perturbations [2.9465623430708905]
Universal Adversarial Perturbations (UAPs) are input perturbations that can fool a neural network on large sets of data.
We derive upper bounds for the effectiveness of UAPs based on norms of data-dependent Jacobians.
arXiv Detail & Related papers (2021-04-21T11:00:21Z) - Robust Reinforcement Learning using Adversarial Populations [118.73193330231163]
Reinforcement Learning (RL) is an effective tool for controller design but can struggle with issues of robustness.
We show that using a single adversary does not consistently yield robustness to dynamics variations under standard parametrizations of the adversary.
We propose a population-based augmentation to the Robust RL formulation in which we randomly initialize a population of adversaries and sample from the population uniformly during training.
arXiv Detail & Related papers (2020-08-04T20:57:32Z) - Regularized Training and Tight Certification for Randomized Smoothed
Classifier with Provable Robustness [15.38718018477333]
We derive a new regularized risk, in which the regularizer can adaptively encourage the accuracy and robustness of the smoothed counterpart.
We also design a new certification algorithm, which can leverage the regularization effect to provide tighter robustness lower bound that holds with high probability.
arXiv Detail & Related papers (2020-02-17T20:54:34Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.