Robust or Private? Adversarial Training Makes Models More Vulnerable to Privacy Attacks

Mejia, Felipe A.; Gamble, Paul; Hampel-Arias, Z.; Lomnitz, M.; Lopatina, N. G.; Tindall, Lucas; Barrios, M. A.

doi:10.48550/arxiv.1906.06449

Cited by 3 publications

(3 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As robust models are typically easier to invert than naturally trained models (Santurkar et al, 2019;Mejia et al, 2019), we use a robust ResNet-50 (He et al, 2016) model trained on the ImageNet (Deng et al, 2009) dataset throughout this section as a toy example to examine how different augmentations impact inversion. Note, we perform the demonstrations in this section under slightly different conditions and with different models than those ultimately used for PII in order to highlight the effects of the augmentations as clearly as possible.…”

Section: Plug-in Inversionmentioning

confidence: 99%

Plug-In Inversion: Model-Agnostic Inversion for Vision with Data Augmentations

Ghiasi¹,

Kazemi²,

Reich³

et al. 2022

Preprint

View full text Add to dashboard Cite

Existing techniques for model inversion typically rely on hard-to-tune regularizers, such as total variation or feature regularization, which must be individually calibrated for each network in order to produce adequate images. In this work, we introduce Plug-In Inversion, which relies on a simple set of augmentations and does not require excessive hyper-parameter tuning. Under our proposed augmentation-based scheme, the same set of augmentation hyper-parameters can be used for inverting a wide range of image classification models, regardless of input dimensions or the architecture. We illustrate the practicality of our approach by inverting Vision Transformers (ViTs) and Multi-Layer Perceptrons (MLPs) trained on the ImageNet dataset, tasks which to the best of our knowledge have not been successfully accomplished by any previous works.

show abstract

Section: Plug-in Inversionmentioning

confidence: 99%

Plug-In Inversion: Model-Agnostic Inversion for Vision with Data Augmentations

Ghiasi¹,

Kazemi²,

Reich³

et al. 2022

Preprint

View full text Add to dashboard Cite

show abstract

“…Cohen et al [15] have shown the certified robustness of large scale ImageNet images and proved slight robustness for 𝑙 2 attacks. Moreover, research suggests that adversarial training is vulnerable to black-box attacks with several privacy issues and creates blind-spots for further attacks [33,50]. In other research directions, explainability [9,14,27], transparency [25], data lineage [51], privacy and security [13], and social well being [41] have also been addressed.…”

Section: Building Trusted/trustworthy Ai Systemsmentioning

confidence: 99%

Trustworthy AI

Singh

Vatsa

Ratha

2021

Proceedings of the 3rd ACM India Joint International Conference on Data Science &Amp; Management of Data (8th ACM IKDD CODS &Am

View full text Add to dashboard Cite

Modern AI systems are reaping the advantage of novel learning methods. With their increasing usage, we are realizing the limitations and shortfalls of these systems. Brittleness to minor adversarial changes in the input data, ability to explain the decisions, address the bias in their training data, high opacity in terms of revealing the lineage of the system, how they were trained and tested, and under which parameters and conditions they can reliably guarantee a certain level of performance, are some of the most prominent limitations. Ensuring the privacy and security of the data, assigning appropriate credits to data sources, and delivering decent outputs are also required features of an AI system. We propose the tutorial on "Trustworthy AI" to address six critical issues

show abstract

“…Except adversarial training, most of the existing defense algorithms are ineffective against optimization-based attacks [5], [10]. However, research suggests that adversarial training is vulnerable to black-box attacks with several privacy issues and creates blind-spots for further attacks [26], [41]. Recently, Agarwal et al [3] have performed a study regarding the essential components in network training and adversarial examples generation, which can further improve adversarial robustness.…”

Section: Related Workmentioning

confidence: 99%

Attack Agnostic Adversarial Defense via Visual Imperceptible Bound

Chhabra¹,

Singh²,

Vatsa³

2020

Preprint

View full text Add to dashboard Cite

The high susceptibility of deep learning algorithms against structured and unstructured perturbations has motivated the development of efficient adversarial defense algorithms. However, the lack of generalizability of existing defense algorithms and the high variability in the performance of the attack algorithms for different databases raises several questions on the effectiveness of the defense algorithms. In this research, we aim to design a defense model that is robust within a certain bound against both seen and unseen adversarial attacks. This bound is related to the visual appearance of an image, and we termed it as Visual Imperceptible Bound (VIB). To compute this bound, we propose a novel method that uses the database characteristics. The VIB is further used to measure the effectiveness of attack algorithms. The performance of the proposed defense model is evaluated on the MNIST, CIFAR-10, and Tiny ImageNet databases on multiple attacks that include C&W (l2) and DeepFool. The proposed defense model is not only able to increase the robustness against several attacks but also retain or improve the classification accuracy on an original clean test set. The proposed algorithm is attack agnostic, i.e. it does not require any knowledge of the attack algorithm.

show abstract

Robust or Private? Adversarial Training Makes Models More Vulnerable to Privacy Attacks

Cited by 3 publications

References 11 publications

Plug-In Inversion: Model-Agnostic Inversion for Vision with Data Augmentations

Plug-In Inversion: Model-Agnostic Inversion for Vision with Data Augmentations

Trustworthy AI

Attack Agnostic Adversarial Defense via Visual Imperceptible Bound

Contact Info

Product

Resources

About