Frequency Centric Defense Mechanisms against Adversarial Examples

Shah, Sanket; Raval, Param; Khakhi, Harin; Raval, Mehul S.

doi:10.1145/3475724.3483610

Cited by 6 publications

(2 citation statements)

References 25 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Notable in relation to our work are methods to design norms (and hence distance functions), detectors or other methods to become robust against noise, such as done in [4,8,17,19,22], or to account for, e.g., correlations in the data to define clusters [2]. In light of this, observe that our choice of the Euclidean norm is indeed itself arbitrary, and given the equivalence of all norms, more robust choices are compatible with our constructions.…”

Section: Related Workmentioning

confidence: 93%

Metricizing the Euclidean Space towards Desired Distance Relations in Point Clouds

Raß¹,

König²,

Ahmad³

et al. 2022

Preprint

View full text Add to dashboard Cite

Given a set of points in the Euclidean space R with > 1, the pairwise distances between the points are determined by their spatial location and the metric d that we endow R with. Hence, the distance d(x, y) = δ between two points is fixed by the choice of x and y and d. We study the related problem of fixing the value δ, and the points x, y, and ask if there is a topological metric d that computes the desired distance δ. We demonstrate this problem to be solvable by constructing a metric to simultaneously give desired pairwise distances between up to O( √ ) many points in R . In particular, these distances can be chosen independent of any "natural" distance between the given points, such as Euclidean or others. Towards dropping the limit on how many points (at fixed locations) we can put into desired distance from one another, we then introduce the notion of an ε-semimetric d. This function has all properties of a metric, but allows violations of the triangle inequality up to an additive error < ε. With this (mild) generalization of a topological metric, we formulate our main result: for all ε > 0, for all m ≥ 1, for any choice of m points y1, . . . , ym ∈ R , and all chosen sets of values {δij ≥ 0 : 1 ≤ i < j ≤ m}, there exists an ε-semimetric δ : R ×R → R such that d(yi, yj) = δij, i.e., the desired distances are accomplished, irrespectively of the topology that the Euclidean or other norms would induce. The order of quantifiers is important here: we first can choose the accuracy ε by which our semi-metric may be violate the triangle inequality (while leaving the other metric axioms to hold as usual for d), then fix the spatial locations of points, and after that step, choose the distances that we wish between our points. We showcase our results by using them to "attack" unsupervised learning algorithms, specifically k-Means and density-based (DBSCAN) clustering algorithms. These have manifold applications in artificial intelligence, and letting them run with externally provided distance measures constructed in the way as shown here, can make clustering algorithms produce results that are pre-determined and hence malleable. This demonstrates that the

show abstract

Section: Related Workmentioning

confidence: 93%

Metricizing the Euclidean Space towards Desired Distance Relations in Point Clouds

Raß¹,

König²,

Ahmad³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…With the continuous research on adversarial samples, many effective defense methods [23], [24], [25], [26] have been proposed successively. Adversarial training arguably remains the most effective and promising defense to date, where defenders proactively craft deceptive images for their model and expand the training dataset with such instances to retrain the model.…”

Section: ) Transfer-based Attacksmentioning

confidence: 99%

Intermediate-Layer Transferable Adversarial Attack With DNN Attention

Yang

Zhou

et al. 2022

IEEE Access

View full text Add to dashboard Cite

The widespread deployment of deep learning models in practice necessitates an assessment of their vulnerability, particularly in security-sensitive areas. As a result, transfer-based adversarial attacks have elicited increasing interest in assessing the security of deep learning models. However, adversarial samples usually exhibit poor transferability over different models because of overfitting of the particular architecture and feature representation of a source model. To address this problem, the Intermediate Layer Attack with Attention guidance (IAA) is proposed to alleviate overfitting and enhance the black-box transferability. The IAA works on an intermediate layer 𝑙 of the source model. Guided by the model's attention to the features of layer 𝑙, the attack algorithm seeks and undermines the key features that are likely to be adopted by diverse architectures. Significantly, IAA focuses on improving existing white-box attacks without introducing significant visual perceptual quality degradation. Namely, IAA maintains the white-box attack performance of the original algorithm while significantly enhancing its black-box transferability. Extensive experiments on ImageNet classifiers confirmed the effectiveness of our method. The proposed IAA outperformed all state-of-the-art benchmarks in various white-box and black-box settings. INDEX TERMSDeep learning, adversarial samples, black-box attack, transferability, intermediate layer, attention-guided.

show abstract