D. Schwartz and G. Ditzler, "On Reducing Adversarial Vulnerability with Data Dependent Stochastic Resonance," IEEE Symposium Series on Computational Intelligence, 2022
Schwartz(1) and Gregory Ditzler(2) (1)Department of Electrical & Computer Engineering, University of Arizona, [email protected] (2)Department of Electrical & Computer Engineering, Rowan University, [email protected]
e [Data] Strength [Algorithm] Attack System Target System Dataset [Data] Classifier [Algorithm] Attack Defense Mutation Mutation T. Brown and C. Olsson, “Introducing the Unrestricted Adversarial Examples Challenge,” https://ai.googleblog.com/2018/09/introducing-unrestricted-adversarial.html 2018.
of using adversarial examples to train. Unfortunately, these methods have limited efficacy against unknown attacks and increase training time. • Regularization: Recent work has shown there is a relationship between the Fisher information matrix and the change in the posterior. • Latent Disparity Regularization: We proposed LDR to add a term to the cost function that minimizes the disparity between the latent representations of a sample and its adversarial representation.
an approach to improve adversarial training. • LDR penalizes the training objective proportionally to the discrepancy between hidden activations induced by benign and adversarial examples • Investigations reported in our prior work showed that LDR improves adversarial robustness for the price of a small, but statistically significant, sacrifice in benign accuracy • Similar to adversarial training, there is an increased complexity with the approach since adversarial samples need to be generated. D. Schwartz and G. Ditzler, “Bolstering Adversarial Robustness with Latent Disparity Regularization,” IEEE/INNS International Joint Conference on Neural Networks, 2021.
has complete knowledge of the defender in this work. This is known as a white-box attack. ◦ The adversary has access to the defender’s data and model (i.e., network type, weights, biases, etc.) ◦ The white-box attack is the most difficult to defend against because the adversary has the most knowledge • The adversary generates adversarial attack as test time, which is referred to as an evasion attack. • Motivation: Small modifications to network architecture have shown performance improvement (e.g., ResNet). What straightforward modification to a network can we make that adds some randomness that achieves adversarial robustness?
Dependent Stochastic Resonance (DDSR) layer to achieve performance gains • Similar to a ResNet’s skip connections, we add a representation, x, to noisy nonlinearly-transformed representation of the previous layer’s activity. • Formally,
have not been able to provide performance gains alone to defend against adversarial noise. ◦ The additive noise is typically placed at the input; however, other works have looked at noise at different areas of a network (e.g., output nodes, or dropout@evaluation) ◦ Adding too much noise to an input can actually degrade the benign performance • Like ResNet, DDSR is a modification to the convolutional layers of the network. The advantage is that this type of layer was shown to empirically enhance adversarial robustness. • The DDSR layer can easily be combined with adversarial training to improve the robustness.
backbone. • Datasets: We use the Fashion-MNIST and CIFAR10 datasets. The adversary uses the network of the defender to generate the adversarial samples using FGSM. The adversary generates samples using different budgets, 𝟄. • Assessment: We report the accuracy and % gain in performance. Performance is reported after 10 fold cross-validation.
in a network, resulting in performance gains under adversarial and Gaussian perturbations • The results show that DDSR is an effective defense against FGSM attacks compared to other adversarial defensive measures at training time. ◦ DDSR displayed the largest adversarial accuracy over all budgets tested with only an insignificant deterioration in benign accuracy compared to AGN, FIM, LDR, and HGD. ◦ On AGN-perturbed data, DDSR is competitive with LDR for small budgets and slightly less robust as compared to LDR for large budgets. • Another observation we made in this work is that the perturbation error propagates through successive layers except with DDSR. ◦ In fact, the consistency of DDSR’s effect on error amplification may suggest a detection mechanism for adversarial examples
from the Department of Energy #DE-NA0003946 and National Science Foundation's CAREER #1943552. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the sponsors.