Mitigating Evasion Attacks to Deep Neural Networks via Region-based Classification

Cao, Xiaoyu; Gong, Neil Zhenqiang

doi:10.1145/3134600.3134606

Cited by 163 publications

(144 citation statements)

References 26 publications

Supporting

Mentioning

143

Contrasting

Order By: Relevance

“…Randomized smoothing was initially proposed as empirical defenses [6,26] without formal certified robustness guarantees. For example, Cao & Gong [6] proposed to use uniform noise sampled from a hypercube centered at an input. Lecuyer et al [20] derived the first certified robustness guarantee for randomized smoothing with Gaussian or Laplacian noise by utilizing differential privacy techniques.…”

Section: Related Workmentioning

confidence: 99%

Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized Smoothing

Jia

Wang

Cao

et al. 2020

Proceedings of the Web Conference 2020

Self Cite

View full text Add to dashboard Cite

Community detection plays a key role in understanding graph structure. However, several recent studies showed that community detection is vulnerable to adversarial structural perturbation. In particular, via adding or removing a small number of carefully selected edges in a graph, an attacker can manipulate the detected communities. However, to the best of our knowledge, there are no studies on certifying robustness of community detection against such adversarial structural perturbation. In this work, we aim to bridge this gap. Specifically, we develop the first certified robustness guarantee of community detection against adversarial structural perturbation. Given an arbitrary community detection method, we build a new smoothed community detection method via randomly perturbing the graph structure. We theoretically show that the smoothed community detection method provably groups a given arbitrary set of nodes into the same community (or different communities) when the number of edges added/removed by an attacker is bounded. Moreover, we show that our certified robustness is tight. We also empirically evaluate our method on multiple real-world graphs with ground truth communities.

show abstract

Section: Related Workmentioning

confidence: 99%

Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized Smoothing

Jia

Wang

Cao

et al. 2020

Proceedings of the Web Conference 2020

Self Cite

View full text Add to dashboard Cite

show abstract

“…We then checked whether the input labeled will be flipped in the perturbed network using Eq. (8). In the figures, green and red points represent non-flippable and flippable inputs, respectively.…”

Section: Resultsmentioning

confidence: 99%

Robustness of Neural Networks to Parameter Quantization

Murthy¹,

Das

Islam

2019

From Reactive Systems to Cyber-Physical Systems

View full text Add to dashboard Cite

Keywords: Neural Networks · Edge Computing · Parameter Quantization · Robustness · Satisfiability Modulo Theories Quantization, a commonly used technique to reduce the memory footprint of a neural network for edge computing, entails reducing the precision of the floating-point representation used for the parameters of the network. The impact of such rounding-off errors on the overall performance of the neural network is estimated using testing, which is not exhaustive and thus cannot be used to guarantee the safety of the model. We present a framework based on Satisfiability Modulo Theory (SMT) solvers to quantify the robustness of neural networks to parameter perturbation. To this end, we introduce notions of local and global robustness that capture the deviation in the confidence of class assignments due to parameter quantization. The robustness notions are then cast as instances of SMT problems and solved automatically using solvers, such as dReal. We demonstrate our framework on two simple Multi-Layer Perceptrons (MLP) that perform binary classification on a two-dimensional input. In addition to quantifying the robustness, we also show that Rectified Linear Unit activation results in higher robustness than linear activations for our MLPs.

show abstract

“…Cao and Gong aimed to increase the robustness of neural networks [30]. Instead of using only a test sample to determine which class it belongs to, hundreds of neighboring samples are generated in the surrounding hypercube and a voting algorithm is applied to decide the true label of the test sample.…”

Section: B Decision Related Topicsmentioning

confidence: 99%

Section: B Decision Related Topicsmentioning

confidence: 99%

“…Inspired by this region-based classification method [30], He et al [23] moved from hypercubes to larger neighborhoods. They proposed an orthogonal-direction ensemble attack called OptMargin, which could evade the region-based classification defense mentioned in [30]. They also analyzed margins (between samples and decision boundaries) and adjacent class information, then built a simple neural network to detect adversarial examples with these analysis results.…”

Section: B Decision Related Topicsmentioning

confidence: 99%

See 1 more Smart Citation

Feedback Learning for Improving the Robustness of Neural Networks

Song

Wang

2019

2019 18th IEEE International Conference on Machine Learning and Applications (ICMLA)

View full text Add to dashboard Cite

Recent research studies revealed that neural networks are vulnerable to adversarial attacks. State-of-the-art defensive techniques add various adversarial examples in training to improve models' adversarial robustness. However, these methods are not universal and can't defend unknown or nonadversarial evasion attacks. In this paper, we analyze the model robustness in the decision space. A feedback learning method is then proposed, to understand how well a model learns and to facilitate the retraining process of remedying the defects. The evaluations according to a set of distance-based criteria show that our method can significantly improve models' accuracy and robustness against different types of evasion attacks. Moreover, we observe the existence of inter-class inequality and propose to compensate for it by changing the proportions of examples generated in different classes.

show abstract

Mitigating Evasion Attacks to Deep Neural Networks via Region-based Classification

Cited by 163 publications

References 26 publications

Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized Smoothing

Certified Robustness of Community Detection against Adversarial Structural Perturbation via Randomized Smoothing

Robustness of Neural Networks to Parameter Quantization

Feedback Learning for Improving the Robustness of Neural Networks

Contact Info

Product

Resources

About