Robustness-via-synthesis: Robust training with generative adversarial perturbations

Baytaş, İnci M.; Deb, Debayan

doi:10.1016/j.neucom.2022.10.034

Cited by 7 publications

(6 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Although AT is expected to contribute to the generalization of the model for adversarial samples, we commonly observe several phenomena, such as catastrophic overfitting (Wong et al, 2020), label leaking (Kurakin et al, 2017), and gradient masking (Athalye et al, 2018;Ilyas et al, 2019) that result in overfitting to certain perturbations and hampering the training. One of the contributing factors to these challenges in AT is the adversarial sample generation based on the gradient of the cross-entropy loss (Baytaş & Deb, 2023). Therefore, the adversarial direction obtained via increasing the cross-entropy loss is insufficient to generate stronger and diverse attacks (Etmann et al, 2019).…”

Section: Methodsmentioning

confidence: 99%

“…PGD can explore stronger attacks than a single-step adversarial attack such as FGSM. However, robustness literature often discusses that the trade-off between robustness and generalization inevitably grows when the PGD attack is used in AT (Baytaş & Deb, 2023). For this reason, various modifications and improvements are proposed to address the lack of generalization of PGD adversarial training (Wong & Kolter, 2018;.…”

Section: Literature Reviewmentioning

confidence: 99%

“…We stress that the goal of adversarial robustness should not be improving the robust accuracy while sacrificing the model's accuracy on the natural test samples. To alleviate this trade-off, mixup (Zhang et al, 2018) and feature scattering-based techniques (Zhang et al, 2019b;Baytaş & Deb, 2023) are employed in the literature. More recently, augmenting the training set with millions of images synthesized by generative models has also been employed to improve both robust and natural performance (Wang et al, 2023).…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Perturbation Augmentation for Adversarial Training with Diverse Attacks

Serbes,

Baytaş

2024

Gazi University Journal of Science Part A: Engineering and Innovation

View full text Add to dashboard Cite

Adversarial Training (AT) aims to alleviate the vulnerability of deep neural networks to adversarial perturbations. However, the AT techniques struggle to maintain the performance on natural samples while improving the deep model’s robustness. The absence of perturbation diversity in generated during the adversarial training degrades the generalizability of the robust models, causing overfitting to particular perturbations and a decrease in natural performance. This study proposes an adversarial training framework that augments adversarial directions from a single-step attack to address the trade-off between robustness and generalization. Inspired by feature scattering adversarial training, the proposed framework computes a principal adversarial direction with a single-step attack that finds a perturbation disrupting the inter-sample relationships in the mini-batch during adversarial training. The principal direction obtained at each iteration is augmented by sampling new adversarial directions within a region spanning 45 degrees from the principal adversarial direction. The proposed adversarial training approach does not require extra backpropagation steps in adversarial direction augmentation. Therefore, generalization of the robust model is improved without posing an additional burden on the feature scattering adversarial training. Experiments on CIFAR-10, CIFAR-100, SVHN, Tiny-ImageNet, and The German Traffic Sign Recognition Benchmark consistently improve the accuracy on adversarial with an almost pristine natural performance.

show abstract

Section: Methodsmentioning

confidence: 99%

Section: Literature Reviewmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Perturbation Augmentation for Adversarial Training with Diverse Attacks

Serbes,

Baytaş

2024

Gazi University Journal of Science Part A: Engineering and Innovation

View full text Add to dashboard Cite

show abstract

“…By concatenating a processed image hash sequence H′ and a feature vector I into a new feature vector I′, we improved the robustness of models against adversarial examples. To investigate the effect of the ratio R of the length of I to the length of H′ in the feature vector I′, we evaluated the performance of the model against the adversarial example methods FGSM, 16 PGD, 17 and one-pixel 22 with different perturbation budgets. The detailed classification accuracies of network C are listed in Table 1.…”

Section: Methodsmentioning

confidence: 99%

“…1. Data modification-based mechanisms 14 – 16 improve the robustness of neural networks against adversarial examples using improved data for training or testing. Hence, these methods are costly and require a large number of normal and adversarial examples to defend against a set of specific attacks.…”

Section: Introductionmentioning

confidence: 99%

Defending against adversarial examples using perceptual image hashing

Wang

Zhang

et al. 2023

J. Electron. Imag.

View full text Add to dashboard Cite

Conventional deep neural networks (DNNs) have been shown to be vulnerable to images with adversarial perturbations, referred to as adversarial examples. In this study, we propose a method to protect neural networks against adversarial examples using perceptual image hashing. Because perceptual hashing is robust to adversarial perturbations, we combine hash sequences of input images with the parameters of a neural network in an image-hash processing network. Thus, outputs of the neural network are affected by image hashes, which render the model robust to adversarial examples to some extent. Thus, the proposed approach provides a defense against adversarial examples. The experiment was conducted on the CIFAR-10 dataset, and we used ResNet-18 as our target network. To verify our method, we tested our defense network using several common white-box attacks and black-box attacks. The results show that it achieved a significant improvement in the classification accuracy for adversarial examples.

show abstract

How to Defend and Secure Deep Learning Models Against Adversarial Attacks in Computer Vision: A Systematic Review

Dhamija,

Bansal

2024

New Gener. Comput.

View full text Add to dashboard Cite

Robustness-via-synthesis: Robust training with generative adversarial perturbations

Cited by 7 publications

References 22 publications

Perturbation Augmentation for Adversarial Training with Diverse Attacks

Perturbation Augmentation for Adversarial Training with Diverse Attacks

Defending against adversarial examples using perceptual image hashing

How to Defend and Secure Deep Learning Models Against Adversarial Attacks in Computer Vision: A Systematic Review

Contact Info

Product

Resources

About