Can Attention Masks Improve Adversarial Robustness?

Vaishnavi, P.; Cong, Tianji; Eykholt, Kevin; Prakash, Atul; Rahmati, Amir

doi:10.1007/978-3-030-62144-5_2

Cited by 9 publications

(4 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This approach reduces the dimension of the input space, therefore reducing the space of the potential adversarial examples to fool the network (Simon-Gabriel et al, 2019 ). Several works have demonstrated that elimination of the background of inputs using hand-designed attention masks prior to classification can improve robustness (Vaishnavi et al, 2020 ). In contrast, the HTDA model can automatically generate attention maps based on the extracted features without manual annotations.…”

Section: Resultsmentioning

confidence: 99%

Enhancing spiking neural networks with hybrid top-down attention

Liu

Zhao

2022

Front. Neurosci.

View full text Add to dashboard Cite

As the representatives of brain-inspired models at the neuronal level, spiking neural networks (SNNs) have shown great promise in processing spatiotemporal information with intrinsic temporal dynamics. SNNs are expected to further improve their robustness and computing efficiency by introducing top-down attention at the architectural level, which is crucial for the human brain to support advanced intelligence. However, this attempt encounters difficulties in optimizing the attention in SNNs largely due to the lack of annotations. Here, we develop a hybrid network model with a top-down attention mechanism (HTDA) by incorporating an artificial neural network (ANN) to generate attention maps based on the features extracted by a feedforward SNN. The attention map is then used to modulate the encoding layer of the SNN so that it focuses on the most informative sensory input. To facilitate direct learning of attention maps and avoid labor-intensive annotations, we propose a general principle and a corresponding weakly-supervised objective, which promotes the HTDA model to utilize an integral and small subset of the input to give accurate predictions. On this basis, the ANN and the SNN can be jointly optimized by surrogate gradient descent in an end-to-end manner. We comprehensively evaluated the HTDA model on object recognition tasks, which demonstrates strong robustness to adversarial noise, high computing efficiency, and good interpretability. On the widely-adopted CIFAR-10, CIFAR-100, and MNIST benchmarks, the HTDA model reduces firing rates by up to 50% and improves adversarial robustness by up to 10% with comparable or better accuracy compared with the state-of-the-art SNNs. The HTDA model is also verified on dynamic neuromorphic datasets and achieves consistent improvements. This study provides a new way to boost the performance of SNNs by employing a hybrid top-down attention mechanism.

show abstract

Section: Resultsmentioning

confidence: 99%

Enhancing spiking neural networks with hybrid top-down attention

Liu

Zhao

2022

Front. Neurosci.

View full text Add to dashboard Cite

show abstract

“…Training with augmented data also degrades neural network performance compared to training with original dataset. There are many other defense methods, such as attention-based method [19], [20], [21] and regularization methods [22], [23], [24], [25]. The defense methods make changes to the neural network, but do not guarantee generality.…”

Section: Related Workmentioning

confidence: 99%

Stationary Point Losses for Robust Model

Gao¹,

Zhang²,

Li³

et al. 2023

Preprint

View full text Add to dashboard Cite

The inability to guarantee robustness is one of the major obstacles to the application of deep learning models in security-demanding domains. We identify that the most commonly used cross-entropy (CE) loss does not guarantee robust boundary for neural networks. CE loss sharpens the neural network at the decision boundary to achieve a lower loss, rather than pushing the boundary to a more robust position. A robust boundary should be kept in the middle of samples from different classes, thus maximizing the margins from the boundary to the samples. We think this is due to the fact that CE loss has no stationary point. In this paper, we propose a family of new losses, called stationary point (SP) loss, which has at least one stationary point on the correct classification side. We proved that robust boundary can be guaranteed by SP loss without losing much accuracy. With SP loss, larger perturbations are required to generate adversarial examples. We demonstrate that robustness is improved under a variety of adversarial attacks by applying SP loss. Moreover, robust boundary learned by SP loss also performs well on imbalanced datasets. 1

show abstract

“…In general, a certificate is a trainable function that is optimized at training time to ensure that the decision boundary of the classifier is guaranteed not to change within a perturbation radius. Other than limitations intrinsic to the nature of certified classifiers, such as a trade-off between certified radius and accuracy and training complexity (Vaishnavi et al, 2022), it is important to mention that in general, these techniques require large amount of data (e.g. randomized smoothing (Cohen et al, 2019)) replacing the channel with a certified one.…”

Section: Related Workmentioning

confidence: 99%

MEAD: A Multi-Armed Approach for Evaluation of Adversarial Examples Detectors

Granese

Picot

Romanelli

et al. 2023

Lecture Notes in Computer Science

View full text Add to dashboard Cite

This paper explores a scenario in which a malicious actor employs a multi-armed attack strategy to manipulate data samples, offering them various avenues to introduce noise into the dataset. Our central objective is to protect the data by detecting any alterations to the input. We approach this defensive strategy with utmost caution, operating in an environment where the defender possesses significantly less information compared to the attacker. Specifically, the defender is unable to utilize any data samples for training a defense model or verifying the integrity of the channel. Instead, the defender relies exclusively on a set of pre-existing detectors readily available "off the shelf". To tackle this challenge, we derive an innovative information-theoretic defense approach that optimally aggregates the decisions made by these detectors, eliminating the need for any training data. We further explore a practical use-case scenario for empirical evaluation, where the attacker possesses a pre-trained classifier and launches well-known adversarial attacks against it. Our experiments highlight the effectiveness of our proposed solution, even in scenarios that deviate from the optimal setup.

show abstract

Can Attention Masks Improve Adversarial Robustness?

Cited by 9 publications

References 8 publications

Enhancing spiking neural networks with hybrid top-down attention

Enhancing spiking neural networks with hybrid top-down attention

Stationary Point Losses for Robust Model

MEAD: A Multi-Armed Approach for Evaluation of Adversarial Examples Detectors

Contact Info

Product

Resources

About