Decoupling Direction and Norm for Efficient Gradient-Based L2 Adversarial Attacks and Defenses

Rony, Jérôme; Hafemann, Luiz G.; Oliveira, Luiz S.; Ayed, Ismail Ben; Sabourin, Robert; Granger, Éric

doi:10.1109/cvpr.2019.00445

Cited by 206 publications

(207 citation statements)

References 13 publications

Supporting

Mentioning

201

Contrasting

Unclassified

Order By: Relevance

“…While adversarial formulations using Lagrangian relaxation like the C&W attack [7] and the EAD attack [8] are known to be more effective than PGD for finding minimal perturbations under L 2 and L 1 constraints, these formulations involve computationally expensive line searches, often requiring thousands of iterations to converge, making them computationally difficult to scale to 5000 ImageNet samples for a large number of models. Furthermore, because some of the models we tested operate with stochasticity during inference, we found that other state-of-the-art attacks formulated to efficiently find minimal perturbation distances [9,10] were generally difficult to tune, as their success becomes stochastic as they near the decision boundary. Thus we proceeded with the PGD formulation as we found it to be the most reliable, computationally tractable, and conceptually simple to follow.…”

Section: B Image Perturbations B1 White Box Adversarial Attacksmentioning

confidence: 99%

“…However, scratching beneath the surface reveals a different picture. These CNNs are easily fooled by imperceptibly small perturbations explicitly crafted to induce mistakes, usually referred to as adversarial attacks [6,7,8,9,10]. Further, they exhibit a surprising failure to recognize objects in images corrupted with different noise patterns that humans have no trouble with [11,12,13].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Simulating a Primary Visual Cortex at the Front of CNNs Improves Robustness to Image Perturbations

Dapello

Marques

Schrimpf

et al. 2020

Preprint

120

124

View full text Add to dashboard Cite

Current state-of-the-art object recognition models are largely based on convolutional neural network (CNN) architectures, which are loosely inspired by the primate visual system. However, these CNNs can be fooled by imperceptibly small, explicitly crafted perturbations, and struggle to recognize objects in corrupted images that are easily recognized by humans. Here, by making comparisons with primate neural data, we first observed that CNN models with a neural hidden layer that better matches primate primary visual cortex (V1) are also more robust to adversarial attacks. Inspired by this observation, we developed VOneNets, a new class of hybrid CNN vision models. Each VOneNet contains a fixed weight neural network front-end that simulates primate V1, called the VOneBlock, followed by a neural network back-end adapted from current CNN vision models. The VOneBlock is based on a classical neuroscientific model of V1: the linear-nonlinear-Poisson model, consisting of a biologically-constrained Gabor filter bank, simple and complex cell nonlinearities, and a V1 neuronal stochasticity generator. After training, VOneNets retain high ImageNet performance, but each is substantially more robust, outperforming the base CNNs and state-of-the-art methods by 18% and 3%, respectively, on a conglomerate benchmark of perturbations comprised of white box adversarial attacks and common image corruptions. Finally, we show that all components of the VOneBlock work in synergy to improve robustness. While current CNN architectures are arguably brain-inspired, the results presented here demonstrate that more precisely mimicking just one stage of the primate visual system leads to new gains in ImageNet-level computer vision applications.

show abstract

Section: B Image Perturbations B1 White Box Adversarial Attacksmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Simulating a Primary Visual Cortex at the Front of CNNs Improves Robustness to Image Perturbations

Dapello

Marques

Schrimpf

et al. 2020

Preprint

120

124

View full text Add to dashboard Cite

show abstract

“…Decoupling direction and norm l 2 -attack (DDN) [72] DNNs, yet, safety verification of large DNNs remains challenging.…”

Section: Other Attacksmentioning

confidence: 99%

“…• Decoupled Direction and Norm l 2 -attack (DDN) [72] as in [140] with the following parameters: 1000 iterations, initial epsilon 1.0, and gamma 0.05.…”

Section: Attack Parametersmentioning

confidence: 99%

“…The models on CIFAR-10 achieve the following clean test accuracy (first 1000 images of the test set): plain 88.38% (89.4%), l ∞ -AT 79.9% (80.4%), and l 2 -AT 80.44% (80.7%).Attacks:We tested the robustness of each model wrt to l ∞ -, l 2 -, l 1 -, and l 0norm adversaries. We compared the performance of our attacks to attacks representing state-of-the-art for each norm: Brendel & Bethge attack (B&B, l ∞ -,l 2 -, l 1 -, l 0 -norms)[139]; Carlini-Wagner l 2 -attack (C&W, l 2 -norm)[18]; Decoupled Direction and Norm l 2 -attack (DDN, l 2 -norm)[72]; DeepFool (DF, l ∞ -, and l 2norm)[53]; Distributionally Adversarial Attack (DAA, l ∞ -norm)[74]; Elastic-net attack (l 1 -norm)[75]; Fast Adaptive Boundary Attack (FAB, l ∞ -, l 2 -, l 1 -norms)[54];…”

mentioning

confidence: 99%

See 1 more Smart Citation