REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust
Encoder as a Service
- URL: http://arxiv.org/abs/2301.02905v1
- Date: Sat, 7 Jan 2023 17:40:11 GMT
- Title: REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust
Encoder as a Service
- Authors: Wenjie Qu and Jinyuan Jia and Neil Zhenqiang Gong
- Abstract summary: We show how a service provider pre-trains an encoder and then deploys it as a cloud service API.
A client queries the cloud service API to obtain feature vectors for its training/testing inputs.
We show that the cloud service only needs to provide two APIs to enable a client to certify the robustness of its downstream classifier.
- Score: 67.0982378001551
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Encoder as a service is an emerging cloud service. Specifically, a service
provider first pre-trains an encoder (i.e., a general-purpose feature
extractor) via either supervised learning or self-supervised learning and then
deploys it as a cloud service API. A client queries the cloud service API to
obtain feature vectors for its training/testing inputs when training/testing
its classifier (called downstream classifier). A downstream classifier is
vulnerable to adversarial examples, which are testing inputs with carefully
crafted perturbation that the downstream classifier misclassifies. Therefore,
in safety and security critical applications, a client aims to build a robust
downstream classifier and certify its robustness guarantees against adversarial
examples.
What APIs should the cloud service provide, such that a client can use any
certification method to certify the robustness of its downstream classifier
against adversarial examples while minimizing the number of queries to the
APIs? How can a service provider pre-train an encoder such that clients can
build more certifiably robust downstream classifiers? We aim to answer the two
questions in this work. For the first question, we show that the cloud service
only needs to provide two APIs, which we carefully design, to enable a client
to certify the robustness of its downstream classifier with a minimal number of
queries to the APIs. For the second question, we show that an encoder
pre-trained using a spectral-norm regularization term enables clients to build
more robust downstream classifiers.
Related papers
- Pre-trained Encoder Inference: Revealing Upstream Encoders In Downstream Machine Learning Services [10.367966878807714]
Pre-trained encoders can be easily accessed online to build downstream machine learning (ML) services quickly.
This paper unveils a new vulnerability: the Pre-trained Inference (PEI) attack, which posts privacy threats toward encoders hidden behind downstream ML services.
arXiv Detail & Related papers (2024-08-05T20:27:54Z) - Downstream-agnostic Adversarial Examples [66.8606539786026]
AdvEncoder is first framework for generating downstream-agnostic universal adversarial examples based on pre-trained encoder.
Unlike traditional adversarial example works, the pre-trained encoder only outputs feature vectors rather than classification labels.
Our results show that an attacker can successfully attack downstream tasks without knowing either the pre-training dataset or the downstream dataset.
arXiv Detail & Related papers (2023-07-23T10:16:47Z) - Customer Sentiment Analysis using Weak Supervision for Customer-Agent
Chat [0.0]
We perform sentiment analysis on customer chat using weak supervision on our in-house dataset.
We fine-tune the pre-trained language model (LM) RoBERTa as a sentiment classifier using weak supervision.
arXiv Detail & Related papers (2021-11-29T00:58:22Z) - Honest-but-Curious Nets: Sensitive Attributes of Private Inputs can be
Secretly Coded into the Entropy of Classifiers' Outputs [1.0742675209112622]
Deep neural networks, trained for the classification of a non-sensitive target attribute, can reveal sensitive attributes of their input data.
We show that deep classifiers can be trained to secretly encode a sensitive attribute of users' input data, at inference time.
arXiv Detail & Related papers (2021-05-25T16:27:57Z) - Simple Transparent Adversarial Examples [65.65977217108659]
We introduce secret embedding and transparent adversarial examples as a simpler way to evaluate robustness.
As a result, they pose a serious threat where APIs are used for high-stakes applications.
arXiv Detail & Related papers (2021-05-20T11:54:26Z) - Detection of Adversarial Supports in Few-shot Classifiers Using Feature
Preserving Autoencoders and Self-Similarity [89.26308254637702]
We propose a detection strategy to highlight adversarial support sets.
We make use of feature preserving autoencoder filtering and also the concept of self-similarity of a support set to perform this detection.
Our method is attack-agnostic and also the first to explore detection for few-shot classifiers to the best of our knowledge.
arXiv Detail & Related papers (2020-12-09T14:13:41Z) - Robust and Verifiable Information Embedding Attacks to Deep Neural
Networks via Error-Correcting Codes [81.85509264573948]
In the era of deep learning, a user often leverages a third-party machine learning tool to train a deep neural network (DNN) classifier.
In an information embedding attack, an attacker is the provider of a malicious third-party machine learning tool.
In this work, we aim to design information embedding attacks that are verifiable and robust against popular post-processing methods.
arXiv Detail & Related papers (2020-10-26T17:42:42Z) - Denoised Smoothing: A Provable Defense for Pretrained Classifiers [101.67773468882903]
We present a method for provably defending any pretrained image classifier against $ell_p$ adversarial attacks.
This method allows public vision API providers and users to seamlessly convert pretrained non-robust classification services into provably robust ones.
arXiv Detail & Related papers (2020-03-04T06:15:55Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.