DNNShield: Dynamic Randomized Model Sparsification, A Defense Against
Adversarial Machine Learning
- URL: http://arxiv.org/abs/2208.00498v1
- Date: Sun, 31 Jul 2022 19:29:44 GMT
- Title: DNNShield: Dynamic Randomized Model Sparsification, A Defense Against
Adversarial Machine Learning
- Authors: Mohammad Hossein Samavatian, Saikat Majumdar, Kristin Barber, Radu
Teodorescu
- Abstract summary: We propose a hardware-accelerated defense against machine learning attacks.
DNNSHIELD adapts the strength of the response to the confidence of the adversarial input.
We show an adversarial detection rate of 86% when applied to VGG16 and 88% when applied to ResNet50.
- Score: 2.485182034310304
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: DNNs are known to be vulnerable to so-called adversarial attacks that
manipulate inputs to cause incorrect results that can be beneficial to an
attacker or damaging to the victim. Recent works have proposed approximate
computation as a defense mechanism against machine learning attacks. We show
that these approaches, while successful for a range of inputs, are insufficient
to address stronger, high-confidence adversarial attacks. To address this, we
propose DNNSHIELD, a hardware-accelerated defense that adapts the strength of
the response to the confidence of the adversarial input. Our approach relies on
dynamic and random sparsification of the DNN model to achieve inference
approximation efficiently and with fine-grain control over the approximation
error. DNNSHIELD uses the output distribution characteristics of sparsified
inference compared to a dense reference to detect adversarial inputs. We show
an adversarial detection rate of 86% when applied to VGG16 and 88% when applied
to ResNet50, which exceeds the detection rate of the state of the art
approaches, with a much lower overhead. We demonstrate a
software/hardware-accelerated FPGA prototype, which reduces the performance
impact of DNNSHIELD relative to software-only CPU and GPU implementations.
Related papers
- Distributed Adversarial Training to Robustify Deep Neural Networks at
Scale [100.19539096465101]
Current deep neural networks (DNNs) are vulnerable to adversarial attacks, where adversarial perturbations to the inputs can change or manipulate classification.
To defend against such attacks, an effective approach, known as adversarial training (AT), has been shown to mitigate robust training.
We propose a large-batch adversarial training framework implemented over multiple machines.
arXiv Detail & Related papers (2022-06-13T15:39:43Z) - Using Undervolting as an On-Device Defense Against Adversarial Machine
Learning Attacks [1.9212368803706579]
We propose a novel, lightweight adversarial correction and/or detection mechanism for image classifiers.
We show that these errors disrupt the adversarial input in a way that can be used either to correct the classification or detect the input as adversarial.
arXiv Detail & Related papers (2021-07-20T23:21:04Z) - HASI: Hardware-Accelerated Stochastic Inference, A Defense Against
Adversarial Machine Learning Attacks [1.9212368803706579]
This paper presents HASI, a hardware-accelerated defense that uses a process we call inference to detect adversarial inputs.
We show an adversarial detection rate of average 87% which exceeds the detection rate of the state-of-the-art approaches.
arXiv Detail & Related papers (2021-06-09T14:31:28Z) - Adaptive Feature Alignment for Adversarial Training [56.17654691470554]
CNNs are typically vulnerable to adversarial attacks, which pose a threat to security-sensitive applications.
We propose the adaptive feature alignment (AFA) to generate features of arbitrary attacking strengths.
Our method is trained to automatically align features of arbitrary attacking strength.
arXiv Detail & Related papers (2021-05-31T17:01:05Z) - Towards Adversarial Patch Analysis and Certified Defense against Crowd
Counting [61.99564267735242]
Crowd counting has drawn much attention due to its importance in safety-critical surveillance systems.
Recent studies have demonstrated that deep neural network (DNN) methods are vulnerable to adversarial attacks.
We propose a robust attack strategy called Adversarial Patch Attack with Momentum to evaluate the robustness of crowd counting models.
arXiv Detail & Related papers (2021-04-22T05:10:55Z) - Combating Adversaries with Anti-Adversaries [118.70141983415445]
In particular, our layer generates an input perturbation in the opposite direction of the adversarial one.
We verify the effectiveness of our approach by combining our layer with both nominally and robustly trained models.
Our anti-adversary layer significantly enhances model robustness while coming at no cost on clean accuracy.
arXiv Detail & Related papers (2021-03-26T09:36:59Z) - Towards Adversarial-Resilient Deep Neural Networks for False Data
Injection Attack Detection in Power Grids [7.351477761427584]
False data injection attacks (FDIAs) pose a significant security threat to power system state estimation.
Recent studies have proposed machine learning (ML) techniques, particularly deep neural networks (DNNs)
arXiv Detail & Related papers (2021-02-17T22:26:34Z) - On the Intrinsic Robustness of NVM Crossbars Against Adversarial Attacks [6.592909460916497]
We show that the non-ideal behavior of analog computing lowers the effectiveness of adversarial attacks.
In a non-adaptive attack, where the attacker is unaware of the analog hardware, we observe that analog computing offers a varying degree of intrinsic robustness.
arXiv Detail & Related papers (2020-08-27T09:36:50Z) - Robust Tracking against Adversarial Attacks [69.59717023941126]
We first attempt to generate adversarial examples on top of video sequences to improve the tracking robustness against adversarial attacks.
We apply the proposed adversarial attack and defense approaches to state-of-the-art deep tracking algorithms.
arXiv Detail & Related papers (2020-07-20T08:05:55Z) - Sparsity Turns Adversarial: Energy and Latency Attacks on Deep Neural
Networks [3.9193443389004887]
Adrial attacks have exposed serious vulnerabilities in Deep Neural Networks (DNNs)
We propose and demonstrate sparsity attacks, which adversarial modify a DNN's inputs so as to reduce sparsity in its internal activation values.
We launch both white-box and black-box versions of adversarial sparsity attacks and demonstrate that they decrease activation sparsity by up to 1.82x.
arXiv Detail & Related papers (2020-06-14T21:02:55Z) - A Self-supervised Approach for Adversarial Robustness [105.88250594033053]
Adversarial examples can cause catastrophic mistakes in Deep Neural Network (DNNs) based vision systems.
This paper proposes a self-supervised adversarial training mechanism in the input space.
It provides significant robustness against the textbfunseen adversarial attacks.
arXiv Detail & Related papers (2020-06-08T20:42:39Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.