Intermediate Level Adversarial Attack for Enhanced Transferability

Huang, Qian; Gu, Zeqi; Katsman, Isay; He, Horace; Pawakapan, Pian; Lin, Zhiqiu; Belongie, Serge; Lim, Ser-Nam

doi:10.48550/arxiv.1811.08458

Cited by 3 publications

(2 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our work provides per layer conditions for robustness, which may be utilized for the selection of the best regularization parameters for each layer independently, given a data set and architecture through cross-validation. Although, we have not empirically shown in the paper, our approach theoretically should provide a level of robustness against intermediate level attacks recently introduced in [18]. Our work provides a theoretical backing for the empirical findings in [28,36] which state that Leaky ReLu, a modified version of the ReLu function, may be more robust comparatively.…”

Section: Related Workmentioning

confidence: 64%

Robust Design of Deep Neural Networks against Adversarial Attacks based on Lyapunov Theory

Rahnama¹,

Nguyen²,

Raff³

2019

Preprint

View full text Add to dashboard Cite

Deep neural networks (DNNs) are vulnerable to subtle adversarial perturbations applied to the input. These adversarial perturbations, though imperceptible, can easily mislead the DNN. In this work, we take a control theoretic approach to the problem of robustness in DNNs. We treat each individual layer of the DNN as a nonlinear dynamical system and use Lyapunov theory to prove stability and robustness locally. We then proceed to prove stability and robustness globally for the entire DNN. We develop empirically tight bounds on the response of the output layer, or any hidden layer, to adversarial perturbations added to the input, or the input of hidden layers. Recent works have proposed spectral norm regularization as a solution for improving robustness against 2 adversarial attacks. Our results give new insights into how spectral norm regularization can mitigate the adversarial effects. Finally, we evaluate the power of our approach on a variety of data sets and network architectures and against some of the well-known adversarial attacks.

show abstract

Section: Related Workmentioning

confidence: 64%

Robust Design of Deep Neural Networks against Adversarial Attacks based on Lyapunov Theory

Rahnama¹,

Nguyen²,

Raff³

2019

Preprint

View full text Add to dashboard Cite

show abstract

“…Among them, PGD [50] is regarded as one of the most powerful attacks [2]. Notably, adversarial examples are discovered to be transferable [60,59] among different neural network classifiers, which inspired a series of black-box attacks [71,79,83,45,14,28]. On the other hand, universal (i.e., image-agnostic) adversarial perturbations are also discovered [53,41].…”

Section: Related Workmentioning

confidence: 99%

Adversarial Ranking Attack and Defense

Zhou

Niu²,

Wang³

et al. 2020

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Deep Neural Network classifiers are vulnerable to adversarial attack, where an imperceptible perturbation could result in misclassification. However, the vulnerability of DNN-based image ranking systems remains under-explored. In this paper, we propose two attacks against deep ranking systems, i.e., Candidate Attack and Query Attack, that can raise or lower the rank of chosen candidates by adversarial perturbations. Specifically, the expected ranking order is first represented as a set of inequalities, and then a triplet-like objective function is designed to obtain the optimal perturbation. Conversely, an anti-collapse triplet defense is proposed to improve the ranking model robustness against all proposed attacks, where the model learns to prevent the positive and negative samples being pulled close to each other by adversarial attack. To comprehensively measure the empirical adversarial robustness of a ranking model with our defense, we propose an empirical robustness score, which involves a set of representative attacks against ranking models. Our adversarial ranking attacks and defenses are evaluated on MNIST, Fashion-MNIST, CUB200-2011, CARS196 and Stanford Online Products datasets. Experimental results demonstrate that a typical deep ranking system can be effectively compromised by our attacks. Nevertheless, our defense can significantly improve the ranking system robustness, and simultaneously mitigate a wide range of attacks.

show abstract