Related papers: A Closer Look at Robustness to L-infinity and Spatial Perturbations and their Composition

A Closer Look at Robustness to L-infinity and Spatial Perturbations and their Composition

URL: http://arxiv.org/abs/2210.02577v1
Date: Wed, 5 Oct 2022 21:57:14 GMT
Title: A Closer Look at Robustness to L-infinity and Spatial Perturbations and their Composition
Authors: Luke Rowe, Benjamin Th\'erien, Krzysztof Czarnecki, Hongyang Zhang
Abstract summary: In adversarial machine learning, the popular $ell_infty$ threat model has been the focus of much previous work. We study how state-of-the-art $ell_infty$ defenses can be adapted to this novel threat model. We find that our newly proposed TRADES$_textAll$ strategy performs the strongest of all.
Score: 14.508683884152347
License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
Abstract: In adversarial machine learning, the popular $\ell_\infty$ threat model has been the focus of much previous work. While this mathematical definition of imperceptibility successfully captures an infinite set of additive image transformations that a model should be robust to, this is only a subset of all transformations which leave the semantic label of an image unchanged. Indeed, previous work also considered robustness to spatial attacks as well as other semantic transformations; however, designing defense methods against the composition of spatial and $\ell_{\infty}$ perturbations remains relatively underexplored. In the following, we improve the understanding of this seldom investigated compositional setting. We prove theoretically that no linear classifier can achieve more than trivial accuracy against a composite adversary in a simple statistical setting, illustrating its difficulty. We then investigate how state-of-the-art $\ell_{\infty}$ defenses can be adapted to this novel threat model and study their performance against compositional attacks. We find that our newly proposed TRADES$_{\text{All}}$ strategy performs the strongest of all. Analyzing its logit's Lipschitz constant for RT transformations of different sizes, we find that TRADES$_{\text{All}}$ remains stable over a wide range of RT transformations with and without $\ell_\infty$ perturbations.

Related papers

LOTOS: Layer-wise Orthogonalization for Training Robust Ensembles [13.776549741449557]
We study the effect of Lipschitz continuity on transferability rates. We introduce LOTOS, a new training paradigm for ensembles, which counteracts this adverse effect.
arXiv Detail & Related papers (2024-10-07T15:43:28Z)
Crooked indifferentiability of the Feistel Construction [53.572703605492904]
The Feistel construction is a fundamental technique for building pseudorandom permutations and block ciphers. This paper shows that a simple adaptation of the construction is resistant, even to algorithm substitution attacks.
arXiv Detail & Related papers (2024-04-15T04:29:24Z)
$σ$-zero: Gradient-based Optimization of $\ell_0$-norm Adversarial Examples [14.17412770504598]
We show that $ell_infty$-norm constraints can be used to craft input perturbations. We propose a novel $ell_infty$-norm attack called $sigma$-norm. It outperforms all competing adversarial attacks in terms of success, size, and efficiency.
arXiv Detail & Related papers (2024-02-02T20:08:11Z)
Revisiting Weighted Strategy for Non-stationary Parametric Bandits [82.1942459195896]
This paper revisits the weighted strategy for non-stationary parametric bandits. We propose a refined analysis framework, which produces a simpler weight-based algorithm. Our new framework can be used to improve regret bounds of other parametric bandits.
arXiv Detail & Related papers (2023-03-05T15:11:14Z)
Towards Compositional Adversarial Robustness: Generalizing Adversarial Training to Composite Semantic Perturbations [70.05004034081377]
We first propose a novel method for generating composite adversarial examples. Our method can find the optimal attack composition by utilizing component-wise projected gradient descent. We then propose generalized adversarial training (GAT) to extend model robustness from $ell_p$-ball to composite semantic perturbations.
arXiv Detail & Related papers (2022-02-09T02:41:56Z)
Adversarial robustness against multiple $l_p$-threat models at the price of one and how to quickly fine-tune robust models to another threat model [79.05253587566197]
Adrial training (AT) in order to achieve adversarial robustness wrt single $l_p$-threat models has been discussed extensively. In this paper we develop a simple and efficient training scheme to achieve adversarial robustness against the union of $l_p$-threat models.
arXiv Detail & Related papers (2021-05-26T12:20:47Z)
Generating Structured Adversarial Attacks Using Frank-Wolfe Method [7.84752424025677]
Constraining adversarial search with different norms results in disparately structured adversarial examples. structured adversarial examples can be used for adversarial regularization of models to make models more robust or improve their performance on datasets which are structurally different.
arXiv Detail & Related papers (2021-02-15T06:36:50Z)
Towards Defending Multiple $\ell_p$-norm Bounded Adversarial Perturbations via Gated Batch Normalization [120.99395850108422]
Existing adversarial defenses typically improve model robustness against individual specific perturbations. Some recent methods improve model robustness against adversarial attacks in multiple $ell_p$ balls, but their performance against each perturbation type is still far from satisfactory. We propose Gated Batch Normalization (GBN) to adversarially train a perturbation-invariant predictor for defending multiple $ell_p bounded adversarial perturbations.
arXiv Detail & Related papers (2020-12-03T02:26:01Z)
Toward Adversarial Robustness via Semi-supervised Robust Training [93.36310070269643]
Adrial examples have been shown to be the severe threat to deep neural networks (DNNs) We propose a novel defense method, the robust training (RT), by jointly minimizing two separated risks ($R_stand$ and $R_rob$)
arXiv Detail & Related papers (2020-03-16T02:14:08Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.