Relevant bibliographies by topics / Adversarial robustness / Journal articles

Journal articles on the topic 'Adversarial robustness'

To see the other types of publications on this topic, follow the link: Adversarial robustness.
Author: Grafiati
Published: 10 December 2022
Last updated: 7 September 2023

Create a spot-on reference in APA, MLA, Chicago, Harvard, and other styles

Select a source type:

Consult the top 50 journal articles for your research on the topic 'Adversarial robustness.'

Next to every source in the list of references, there is an 'Add to bibliography' button. Press on it, and we will generate automatically the bibliographic reference to the chosen work in the citation style you need: APA, MLA, Harvard, Chicago, Vancouver, etc.

You can also download the full text of the academic publication as pdf and read online its abstract whenever available in the metadata.

Browse journal articles on a wide variety of disciplines and organise your bibliography correctly.

1

Doan, Bao Gia, Shuiqiao Yang, Paul Montague, Olivier De Vel, Tamas Abraham, Seyit Camtepe, Salil S. Kanhere, Ehsan Abbasnejad, and Damith C. Ranashinghe. "Feature-Space Bayesian Adversarial Learning Improved Malware Detector Robustness." Proceedings of the AAAI Conference on Artificial Intelligence 37, no. 12 (June 26, 2023): 14783–91. http://dx.doi.org/10.1609/aaai.v37i12.26727.

Full text
Abstract:
We present a new algorithm to train a robust malware detector. Malware is a prolific problem and malware detectors are a front-line defense. Modern detectors rely on machine learning algorithms. Now, the adversarial objective is to devise alterations to the malware code to decrease the chance of being detected whilst preserving the functionality and realism of the malware. Adversarial learning is effective in improving robustness but generating functional and realistic adversarial malware samples is non-trivial. Because: i) in contrast to tasks capable of using gradient-based feedback, adversarial learning in a domain without a differentiable mapping function from the problem space (malware code inputs) to the feature space is hard; and ii) it is difficult to ensure the adversarial malware is realistic and functional. This presents a challenge for developing scalable adversarial machine learning algorithms for large datasets at a production or commercial scale to realize robust malware detectors. We propose an alternative; perform adversarial learning in the feature space in contrast to the problem space. We prove the projection of perturbed, yet valid malware, in the problem space into feature space will always be a subset of adversarials generated in the feature space. Hence, by generating a robust network against feature-space adversarial examples, we inherently achieve robustness against problem-space adversarial examples. We formulate a Bayesian adversarial learning objective that captures the distribution of models for improved robustness. To explain the robustness of the Bayesian adversarial learning algorithm, we prove that our learning method bounds the difference between the adversarial risk and empirical risk and improves robustness. We show that Bayesian neural networks (BNNs) achieve state-of-the-art results; especially in the False Positive Rate (FPR) regime. Adversarially trained BNNs achieve state-of-the-art robustness. Notably, adversarially trained BNNs are robust against stronger attacks with larger attack budgets by a margin of up to 15% on a recent production-scale malware dataset of more than 20 million samples. Importantly, our efforts create a benchmark for future defenses in the malware domain.
APA, Harvard, Vancouver, ISO, and other styles
2

Zhou, Xiaoling, Nan Yang, and Ou Wu. "Combining Adversaries with Anti-adversaries in Training." Proceedings of the AAAI Conference on Artificial Intelligence 37, no. 9 (June 26, 2023): 11435–42. http://dx.doi.org/10.1609/aaai.v37i9.26352.

Full text
Abstract:
Adversarial training is an effective learning technique to improve the robustness of deep neural networks. In this study, the influence of adversarial training on deep learning models in terms of fairness, robustness, and generalization is theoretically investigated under more general perturbation scope that different samples can have different perturbation directions (the adversarial and anti-adversarial directions) and varied perturbation bounds. Our theoretical explorations suggest that the combination of adversaries and anti-adversaries (samples with anti-adversarial perturbations) in training can be more effective in achieving better fairness between classes and a better tradeoff between robustness and generalization in some typical learning scenarios (e.g., noisy label learning and imbalance learning) compared with standard adversarial training. On the basis of our theoretical findings, a more general learning objective that combines adversaries and anti-adversaries with varied bounds on each training sample is presented. Meta learning is utilized to optimize the combination weights. Experiments on benchmark datasets under different learning scenarios verify our theoretical findings and the effectiveness of the proposed methodology.
APA, Harvard, Vancouver, ISO, and other styles
3

Goldblum, Micah, Liam Fowl, Soheil Feizi, and Tom Goldstein. "Adversarially Robust Distillation." Proceedings of the AAAI Conference on Artificial Intelligence 34, no. 04 (April 3, 2020): 3996–4003. http://dx.doi.org/10.1609/aaai.v34i04.5816.

Full text
Abstract:
Knowledge distillation is effective for producing small, high-performance neural networks for classification, but these small networks are vulnerable to adversarial attacks. This paper studies how adversarial robustness transfers from teacher to student during knowledge distillation. We find that a large amount of robustness may be inherited by the student even when distilled on only clean images. Second, we introduce Adversarially Robust Distillation (ARD) for distilling robustness onto student networks. In addition to producing small models with high test accuracy like conventional distillation, ARD also passes the superior robustness of large networks onto the student. In our experiments, we find that ARD student models decisively outperform adversarially trained networks of identical architecture in terms of robust accuracy, surpassing state-of-the-art methods on standard robustness benchmarks. Finally, we adapt recent fast adversarial training methods to ARD for accelerated robust distillation.
APA, Harvard, Vancouver, ISO, and other styles
4

Tack, Jihoon, Sihyun Yu, Jongheon Jeong, Minseon Kim, Sung Ju Hwang, and Jinwoo Shin. "Consistency Regularization for Adversarial Robustness." Proceedings of the AAAI Conference on Artificial Intelligence 36, no. 8 (June 28, 2022): 8414–22. http://dx.doi.org/10.1609/aaai.v36i8.20817.

Full text
Abstract:
Adversarial training (AT) is currently one of the most successful methods to obtain the adversarial robustness of deep neural networks. However, the phenomenon of robust overfitting, i.e., the robustness starts to decrease significantly during AT, has been problematic, not only making practitioners consider a bag of tricks for a successful training, e.g., early stopping, but also incurring a significant generalization gap in the robustness. In this paper, we propose an effective regularization technique that prevents robust overfitting by optimizing an auxiliary `consistency' regularization loss during AT. Specifically, we discover that data augmentation is a quite effective tool to mitigate the overfitting in AT, and develop a regularization that forces the predictive distributions after attacking from two different augmentations of the same instance to be similar with each other. Our experimental results demonstrate that such a simple regularization technique brings significant improvements in the test robust accuracy of a wide range of AT methods. More remarkably, we also show that our method could significantly help the model to generalize its robustness against unseen adversaries, e.g., other types or larger perturbations compared to those used during training. Code is available at https://github.com/alinlab/consistency-adversarial.
APA, Harvard, Vancouver, ISO, and other styles
5

Liang, Youwei, and Dong Huang. "Large Norms of CNN Layers Do Not Hurt Adversarial Robustness." Proceedings of the AAAI Conference on Artificial Intelligence 35, no. 10 (May 18, 2021): 8565–73. http://dx.doi.org/10.1609/aaai.v35i10.17039.

Full text
Abstract:
Since the Lipschitz properties of convolutional neural networks (CNNs) are widely considered to be related to adversarial robustness, we theoretically characterize the L-1 norm and L-infinity norm of 2D multi-channel convolutional layers and provide efficient methods to compute the exact L-1 norm and L-infinity norm. Based on our theorem, we propose a novel regularization method termed norm decay, which can effectively reduce the norms of convolutional layers and fully-connected layers. Experiments show that norm-regularization methods, including norm decay, weight decay, and singular value clipping, can improve generalization of CNNs. However, they can slightly hurt adversarial robustness. Observing this unexpected phenomenon, we compute the norms of layers in the CNNs trained with three different adversarial training frameworks and surprisingly find that adversarially robust CNNs have comparable or even larger layer norms than their non-adversarially robust counterparts. Furthermore, we prove that under a mild assumption, adversarially robust classifiers can be achieved using neural networks, and an adversarially robust neural network can have an arbitrarily large Lipschitz constant. For this reason, enforcing small norms on CNN layers may be neither necessary nor effective in achieving adversarial robustness. The code is available at https://github.com/youweiliang/norm_robustness.
APA, Harvard, Vancouver, ISO, and other styles
6

Wang, Desheng, Weidong Jin, and Yunpu Wu. "Between-Class Adversarial Training for Improving Adversarial Robustness of Image Classification." Sensors 23, no. 6 (March 20, 2023): 3252. http://dx.doi.org/10.3390/s23063252.

Full text
Abstract:
Deep neural networks (DNNs) have been known to be vulnerable to adversarial attacks. Adversarial training (AT) is, so far, the only method that can guarantee the robustness of DNNs to adversarial attacks. However, the robustness generalization accuracy gain of AT is still far lower than the standard generalization accuracy of an undefended model, and there is known to be a trade-off between the standard generalization accuracy and the robustness generalization accuracy of an adversarially trained model. In order to improve the robustness generalization and the standard generalization performance trade-off of AT, we propose a novel defense algorithm called Between-Class Adversarial Training (BCAT) that combines Between-Class learning (BC-learning) with standard AT. Specifically, BCAT mixes two adversarial examples from different classes and uses the mixed between-class adversarial examples to train a model instead of original adversarial examples during AT. We further propose BCAT+ which adopts a more powerful mixing method. BCAT and BCAT+ impose effective regularization on the feature distribution of adversarial examples to enlarge between-class distance, thus improving the robustness generalization and the standard generalization performance of AT. The proposed algorithms do not introduce any hyperparameters into standard AT; therefore, the process of hyperparameters searching can be avoided. We evaluate the proposed algorithms under both white-box attacks and black-box attacks using a spectrum of perturbation values on CIFAR-10, CIFAR-100, and SVHN datasets. The research findings indicate that our algorithms achieve better global robustness generalization performance than the state-of-the-art adversarial defense methods.
APA, Harvard, Vancouver, ISO, and other styles
7

Bui, Anh Tuan, Trung Le, He Zhao, Paul Montague, Olivier DeVel, Tamas Abraham, and Dinh Phung. "Improving Ensemble Robustness by Collaboratively Promoting and Demoting Adversarial Robustness." Proceedings of the AAAI Conference on Artificial Intelligence 35, no. 8 (May 18, 2021): 6831–39. http://dx.doi.org/10.1609/aaai.v35i8.16843.

Full text
Abstract:
Ensemble-based Adversarial Training is a principled approach to achieve robustness against adversarial attacks. An important technicality of this approach is to control the transferability of adversarial examples between ensemble members. We propose in this work a simple, but effective strategy to collaborate among committee models of an ensemble model. This is achieved via the secure and insecure sets defined for each model member on a given sample, hence help us to quantify and regularize the transferability. Consequently, our proposed framework provides the flexibility to reduce the adversarial transferability as well as promote the diversity of ensemble members, which are two crucial factors for better robustness in our ensemble approach. We conduct extensive and comprehensive experiments to demonstrate that our proposed method outperforms the state-of-the-art ensemble baselines, at the same time can detect a wide range of adversarial examples with a near perfect accuracy.
APA, Harvard, Vancouver, ISO, and other styles
8

Li, Xin, Xiangrui Li, Deng Pan, and Dongxiao Zhu. "Improving Adversarial Robustness via Probabilistically Compact Loss with Logit Constraints." Proceedings of the AAAI Conference on Artificial Intelligence 35, no. 10 (May 18, 2021): 8482–90. http://dx.doi.org/10.1609/aaai.v35i10.17030.

Full text
Abstract:
Convolutional neural networks (CNNs) have achieved state-of-the-art performance on various tasks in computer vision. However, recent studies demonstrate that these models are vulnerable to carefully crafted adversarial samples and suffer from a significant performance drop when predicting them. Many methods have been proposed to improve adversarial robustness (e.g., adversarial training and new loss functions to learn adversarially robust feature representations). Here we offer a unique insight into the predictive behavior of CNNs that they tend to misclassify adversarial samples into the most probable false classes. This inspires us to propose a new Probabilistically Compact (PC) loss with logit constraints which can be used as a drop-in replacement for cross-entropy (CE) loss to improve CNN's adversarial robustness. Specifically, PC loss enlarges the probability gaps between true class and false classes meanwhile the logit constraints prevent the gaps from being melted by a small perturbation. We extensively compare our method with the state-of-the-art using large scale datasets under both white-box and black-box attacks to demonstrate its effectiveness. The source codes are available at https://github.com/xinli0928/PC-LC.
APA, Harvard, Vancouver, ISO, and other styles
9

Yang, Shuo, Tianyu Guo, Yunhe Wang, and Chang Xu. "Adversarial Robustness through Disentangled Representations." Proceedings of the AAAI Conference on Artificial Intelligence 35, no. 4 (May 18, 2021): 3145–53. http://dx.doi.org/10.1609/aaai.v35i4.16424.

Full text
Abstract:
Despite the remarkable empirical performance of deep learning models, their vulnerability to adversarial examples has been revealed in many studies. They are prone to make a susceptible prediction to the input with imperceptible adversarial perturbation. Although recent works have remarkably improved the model's robustness under the adversarial training strategy, an evident gap between the natural accuracy and adversarial robustness inevitably exists. In order to mitigate this problem, in this paper, we assume that the robust and non-robust representations are two basic ingredients entangled in the integral representation. For achieving adversarial robustness, the robust representations of natural and adversarial examples should be disentangled from the non-robust part and the alignment of the robust representations can bridge the gap between accuracy and robustness. Inspired by this motivation, we propose a novel defense method called Deep Robust Representation Disentanglement Network (DRRDN). Specifically, DRRDN employs a disentangler to extract and align the robust representations from both adversarial and natural examples. Theoretical analysis guarantees the mitigation of the trade-off between robustness and accuracy with good disentanglement and alignment performance. Experimental results on benchmark datasets finally demonstrate the empirical superiority of our method.
APA, Harvard, Vancouver, ISO, and other styles
10

Li, Zhuorong, Chao Feng, Minghui Wu, Hongchuan Yu, Jianwei Zheng, and Fanwei Zhu. "Adversarial robustness via attention transfer." Pattern Recognition Letters 146 (June 2021): 172–78. http://dx.doi.org/10.1016/j.patrec.2021.03.011.

Full text
APA, Harvard, Vancouver, ISO, and other styles
11

Liao, Ningyi, Shufan Wang, Liyao Xiang, Nanyang Ye, Shuo Shao, and Pengzhi Chu. "Achieving adversarial robustness via sparsity." Machine Learning 111, no. 2 (October 12, 2021): 685–711. http://dx.doi.org/10.1007/s10994-021-06049-9.

Full text
APA, Harvard, Vancouver, ISO, and other styles
12

Pereira, Gean T., and André C. P. L. F. de Carvalho. "Bringing robustness against adversarial attacks." Nature Machine Intelligence 1, no. 11 (November 2019): 499–500. http://dx.doi.org/10.1038/s42256-019-0116-2.

Full text
APA, Harvard, Vancouver, ISO, and other styles
13

Jiale Yan, Jiale Yan, Yang Xu Jiale Yan, Sicong Zhang Yang Xu, Kezi Li Sicong Zhang, and Xiaoyao Xie Kezi Li. "Improving Adversarial Robustness via Finding Flat Minimum of the Weight Loss Landscape." 電腦學刊 34, no. 1 (February 2023): 029–43. http://dx.doi.org/10.53106/199115992023023401003.

Full text
Abstract:
<p>Recent studies have shown that robust overfitting and robust generalization gap are a major trouble in adversarial training of deep neural networks. These interesting problems of robust overfitting and robust generalization gap motivate us to explore more solutions. Inspired by recent research on the idea of smoothness, this paper introduces the latest research work on the Adversarial Model Perturbation (AMP) method of finding the flatter minimum of the weight loss landscape into the adversarial training (AT) framework of deep neural networks to alleviate the robust overfitting and robust generalization gap troubles, called AT-AMP method. The validity of the flat minimum is explained from the perspective of statistical generalization theory. Although the idea is plain, this approach is surprisingly effective. Experiments demonstrate that by incorporating the AMP method into adversarial training framework, we can boost the robust accuracy by 1.14% ~ 5.73%, on three different benchmark datasets SVHN, CIFAR-10, CIFAR-100 and two threat models norm constraint and L2 norm constraint, across diverse types of adversarial training framework such as AT, TRADES, MART, AT with pre-training and RST and diverse white-box and black-box attack, achieving the state-of-the-art performance in adversarial training framework. In addition, we compare several classical regularization and modern deep learning data augmentation tricks for robust overfitting and robust generalization with the AMP method, and the experimental research results consistently indicate that introducing the AMP method achieves advanced adversarial robustness in the adversarial training framework.</p> <p>&nbsp;</p>
APA, Harvard, Vancouver, ISO, and other styles
14

Zhang, Jie, Bo Li, Chen Chen, Lingjuan Lyu, Shuang Wu, Shouhong Ding, and Chao Wu. "Delving into the Adversarial Robustness of Federated Learning." Proceedings of the AAAI Conference on Artificial Intelligence 37, no. 9 (June 26, 2023): 11245–53. http://dx.doi.org/10.1609/aaai.v37i9.26331.

Full text
Abstract:
In Federated Learning (FL), models are as fragile as centrally trained models against adversarial examples. However, the adversarial robustness of federated learning remains largely unexplored. This paper casts light on the challenge of adversarial robustness of federated learning. To facilitate a better understanding of the adversarial vulnerability of the existing FL methods, we conduct comprehensive robustness evaluations on various attacks and adversarial training methods. Moreover, we reveal the negative impacts induced by directly adopting adversarial training in FL, which seriously hurts the test accuracy, especially in non-IID settings. In this work, we propose a novel algorithm called Decision Boundary based Federated Adversarial Training (DBFAT), which consists of two components (local re-weighting and global regularization) to improve both accuracy and robustness of FL systems. Extensive experiments on multiple datasets demonstrate that DBFAT consistently outperforms other baselines under both IID and non-IID settings.
APA, Harvard, Vancouver, ISO, and other styles
15

Cheng, Zhi, Yanxi Li, Minjing Dong, Xiu Su, Shan You, and Chang Xu. "Neural Architecture Search for Wide Spectrum Adversarial Robustness." Proceedings of the AAAI Conference on Artificial Intelligence 37, no. 1 (June 26, 2023): 442–51. http://dx.doi.org/10.1609/aaai.v37i1.25118.

Full text
Abstract:
One major limitation of CNNs is that they are vulnerable to adversarial attacks. Currently, adversarial robustness in neural networks is commonly optimized with respect to a small pre-selected adversarial noise strength, causing them to have potentially limited performance when under attack by larger adversarial noises in real-world scenarios. In this research, we aim to find Neural Architectures that have improved robustness on a wide range of adversarial noise strengths through Neural Architecture Search. In detail, we propose a lightweight Adversarial Noise Estimator to reduce the high cost of generating adversarial noise with respect to different strengths. Besides, we construct an Efficient Wide Spectrum Searcher to reduce the cost of adjusting network architecture with the large adversarial validation set during the search. With the two components proposed, the number of adversarial noise strengths searched can be increased significantly while having a limited increase in search time. Extensive experiments on benchmark datasets such as CIFAR and ImageNet demonstrate that with a significantly richer search signal in robustness, our method can find architectures with improved overall robustness while having a limited impact on natural accuracy and around 40% reduction in search time compared with the naive approach of searching. Codes available at: https://github.com/zhicheng2T0/Wsr-NAS.git
APA, Harvard, Vancouver, ISO, and other styles
16

Sun, Guangling, Yuying Su, Chuan Qin, Wenbo Xu, Xiaofeng Lu, and Andrzej Ceglowski. "Complete Defense Framework to Protect Deep Neural Networks against Adversarial Examples." Mathematical Problems in Engineering 2020 (May 11, 2020): 1–17. http://dx.doi.org/10.1155/2020/8319249.

Full text
Abstract:
Although Deep Neural Networks (DNNs) have achieved great success on various applications, investigations have increasingly shown DNNs to be highly vulnerable when adversarial examples are used as input. Here, we present a comprehensive defense framework to protect DNNs against adversarial examples. First, we present statistical and minor alteration detectors to filter out adversarial examples contaminated by noticeable and unnoticeable perturbations, respectively. Then, we ensemble the detectors, a deep Residual Generative Network (ResGN), and an adversarially trained targeted network, to construct a complete defense framework. In this framework, the ResGN is our previously proposed network which is used to remove adversarial perturbations, and the adversarially trained targeted network is a network that is learned through adversarial training. Specifically, once the detectors determine an input example to be adversarial, it is cleaned by ResGN and then classified by the adversarially trained targeted network; otherwise, it is directly classified by this network. We empirically evaluate the proposed complete defense on ImageNet dataset. The results confirm the robustness against current representative attacking methods including fast gradient sign method, randomized fast gradient sign method, basic iterative method, universal adversarial perturbations, DeepFool method, and Carlini & Wagner method.
APA, Harvard, Vancouver, ISO, and other styles
17

Fatehi, Nina, Qutaiba Alasad, and Mohammed Alawad. "Towards Adversarial Attacks for Clinical Document Classification." Electronics 12, no. 1 (December 28, 2022): 129. http://dx.doi.org/10.3390/electronics12010129.

Full text
Abstract:
Regardless of revolutionizing improvements in various domains thanks to recent advancements in the field of Deep Learning (DL), recent studies have demonstrated that DL networks are susceptible to adversarial attacks. Such attacks are crucial in sensitive environments to make critical and life-changing decisions, such as health decision-making. Research efforts on using textual adversaries to attack DL for natural language processing (NLP) have received increasing attention in recent years. Among the available textual adversarial studies, Electronic Health Records (EHR) have gained the least attention. This paper investigates the effectiveness of adversarial attacks on clinical document classification and proposes a defense mechanism to develop a robust convolutional neural network (CNN) model and counteract these attacks. Specifically, we apply various black-box attacks based on concatenation and editing adversaries on unstructured clinical text. Then, we propose a defense technique based on feature selection and filtering to improve the robustness of the models. Experimental results show that a small perturbation to the unstructured text in clinical documents causes a significant drop in performance. Performing the proposed defense mechanism under the same adversarial attacks, on the other hand, avoids such a drop in performance. Therefore, it enhances the robustness of the CNN model for clinical document classification.
APA, Harvard, Vancouver, ISO, and other styles
18

Gupta, Kartik, and Thalaiyasingam Ajanthan. "Improved Gradient-Based Adversarial Attacks for Quantized Networks." Proceedings of the AAAI Conference on Artificial Intelligence 36, no. 6 (June 28, 2022): 6810–18. http://dx.doi.org/10.1609/aaai.v36i6.20637.

Full text
Abstract:
Neural network quantization has become increasingly popular due to efficient memory consumption and faster computation resulting from bitwise operations on the quantized networks. Even though they exhibit excellent generalization capabilities, their robustness properties are not well-understood. In this work, we systematically study the robustness of quantized networks against gradient based adversarial attacks and demonstrate that these quantized models suffer from gradient vanishing issues and show a fake sense of robustness. By attributing gradient vanishing to poor forward-backward signal propagation in the trained network, we introduce a simple temperature scaling approach to mitigate this issue while preserving the decision boundary. Despite being a simple modification to existing gradient based adversarial attacks, experiments on multiple image classification datasets with multiple network architectures demonstrate that our temperature scaled attacks obtain near-perfect success rate on quantized networks while outperforming original attacks on adversarially trained models as well as floating-point networks.
APA, Harvard, Vancouver, ISO, and other styles
19

Jiang, Guoteng, Zhuang Qian, Qiu-Feng Wang, Yan Wei, and Kaizhu Huang. "Adversarial Attack and Defence on Handwritten Chinese Character Recognition." Journal of Physics: Conference Series 2278, no. 1 (May 1, 2022): 012023. http://dx.doi.org/10.1088/1742-6596/2278/1/012023.

Full text
Abstract:
Abstract Deep Neural Networks (DNNs) have shown their powerful performance in classification; however, the robustness issue of DNNs has arisen as one primary concern, e.g., adversarial attack. So far as we know, there is not any reported work about the adversarial attack on handwritten Chinese character recognition (HCCR). To this end, the classical adversarial attack method (i.e., Projection Gradient Descent: PGD) is adopted to generate adversarial examples to evaluate the robustness of the HCCR model. Furthermore, in the training process, we use adversarial examples to improve the robustness of the HCCR model. In the experiments, we utilize a frequently-used DNN model on HCCR and evaluate its robustness on the benchmark dataset CASIA-HWDB. The experimental results show that its recognition accuracy is decreased severely on the adversarial examples, demonstrating the vulnerability of the current HCCR model. In addition, we can improve the recognition accuracy significantly after the adversarial training, demonstrating its effectiveness.
APA, Harvard, Vancouver, ISO, and other styles
20

Hou, Pengyue, Jie Han, and Xingyu Li. "Improving Adversarial Robustness with Self-Paced Hard-Class Pair Reweighting." Proceedings of the AAAI Conference on Artificial Intelligence 37, no. 12 (June 26, 2023): 14883–91. http://dx.doi.org/10.1609/aaai.v37i12.26738.

Full text
Abstract:
Deep Neural Networks are vulnerable to adversarial attacks. Among many defense strategies, adversarial training with untargeted attacks is one of the most effective methods. Theoretically, adversarial perturbation in untargeted attacks can be added along arbitrary directions and the predicted labels of untargeted attacks should be unpredictable. However, we find that the naturally imbalanced inter-class semantic similarity makes those hard-class pairs become virtual targets of each other. This study investigates the impact of such closely-coupled classes on adversarial attacks and develops a self-paced reweighting strategy in adversarial training accordingly. Specifically, we propose to upweight hard-class pair losses in model optimization, which prompts learning discriminative features from hard classes. We further incorporate a term to quantify hard-class pair consistency in adversarial training, which greatly boosts model robustness. Extensive experiments show that the proposed adversarial training method achieves superior robustness performance over state-of-the-art defenses against a wide range of adversarial attacks. The code of the proposed SPAT is published at https://github.com/puerrrr/Self-Paced-Adversarial-Training.
APA, Harvard, Vancouver, ISO, and other styles
21

Wu, Jiaping, Zhaoqiang Xia, and Xiaoyi Feng. "Improving Adversarial Robustness of CNNs via Maximum Margin." Applied Sciences 12, no. 15 (August 8, 2022): 7927. http://dx.doi.org/10.3390/app12157927.

Full text
Abstract:
In recent years, adversarial examples have aroused widespread research interest and raised concerns about the safety of CNNs. We study adversarial machine learning inspired by a support vector machine (SVM), where the decision boundary with maximum margin is only determined by examples close to it. From the perspective of margin, the adversarial examples are the clean examples perturbed in the margin direction and adversarial training (AT) is equivalent to a data augmentation method that moves the input toward the decision boundary, the purpose also being to increase the margin. So we propose adversarial training with supported vector machine (AT-SVM) to improve the standard AT by inserting an SVM auxiliary classifier to learn a larger margin. In addition, we select examples close to the decision boundary through the SVM auxiliary classifier and train only on these more important examples. We prove that the SVM auxiliary classifier can constrain the high-layer feature map of the original network to make its margin larger, thereby improving the inter-class separability and intra-class compactness of the network. Experiments indicate that our proposed method can effectively improve the robustness against adversarial examples.
APA, Harvard, Vancouver, ISO, and other styles
22

Yin, Mingyong, Yixiao Xu, Teng Hu, and Xiaolei Liu. "A Robust Adversarial Example Attack Based on Video Augmentation." Applied Sciences 13, no. 3 (February 1, 2023): 1914. http://dx.doi.org/10.3390/app13031914.

Full text
Abstract:
Despite the success of learning-based systems, recent studies have highlighted video adversarial examples as a ubiquitous threat to state-of-the-art video classification systems. Video adversarial attacks add subtle noise to the original example, resulting in a false classification result. Thorough studies on how to generate video adversarial examples are essential to prevent potential attacks. Despite much research on this, existing research works on the robustness of video adversarial examples are still limited. To generate highly robust video adversarial examples, we propose a video-augmentation-based adversarial attack (v3a), focusing on the video transformations to reinforce the attack. Further, we investigate different transformations as parts of the loss function to make the video adversarial examples more robust. The experiment results show that our proposed method outperforms other adversarial attacks in terms of robustness. We hope that our study encourages a deeper understanding of adversarial robustness in video classification systems with video augmentation.
APA, Harvard, Vancouver, ISO, and other styles
23

Lee, Youngseok, and Jongweon Kim. "Robustness of Deep Learning Models for Vision Tasks." Applied Sciences 13, no. 7 (March 30, 2023): 4422. http://dx.doi.org/10.3390/app13074422.

Full text
Abstract:
In recent years, artificial intelligence technologies in vision tasks have gradually begun to be applied to the physical world, proving they are vulnerable to adversarial attacks. Thus, the importance of improving robustness against adversarial attacks has emerged as an urgent issue in vision tasks. This article aims to provide a historical summary of the evolution of adversarial attacks and defense methods on CNN-based models and also introduces studies focusing on brain-inspired models that mimic the visual cortex, which is resistant to adversarial attacks. As the origination of CNN models was in the application of physiological findings related to the visual cortex of the time, new physiological studies related to the visual cortex provide an opportunity to create more robust models against adversarial attacks. The authors hope this review will promote interest and progress in artificially intelligent security by improving the robustness of deep learning models for vision tasks.
APA, Harvard, Vancouver, ISO, and other styles
24

Mygdalis, Vasileios, and Ioannis Pitas. "Hyperspherical class prototypes for adversarial robustness." Pattern Recognition 125 (May 2022): 108527. http://dx.doi.org/10.1016/j.patcog.2022.108527.

Full text
APA, Harvard, Vancouver, ISO, and other styles
25

Rozsa, Andras, Manuel Günther, Ethan M. Rudd, and Terrance E. Boult. "Facial attributes: Accuracy and adversarial robustness." Pattern Recognition Letters 124 (June 2019): 100–108. http://dx.doi.org/10.1016/j.patrec.2017.10.024.

Full text
APA, Harvard, Vancouver, ISO, and other styles
26

Li, Zhuorong, Chao Feng, Jianwei Zheng, Minghui Wu, and Hongchuan Yu. "Towards Adversarial Robustness via Feature Matching." IEEE Access 8 (2020): 88594–603. http://dx.doi.org/10.1109/access.2020.2993304.

Full text
APA, Harvard, Vancouver, ISO, and other styles
27

Kotyan, Shashank, and Danilo Vasconcellos Vargas. "Adversarial robustness assessment: Why in evaluation both L0 and L∞ attacks are necessary." PLOS ONE 17, no. 4 (April 14, 2022): e0265723. http://dx.doi.org/10.1371/journal.pone.0265723.

Full text
Abstract:
There are different types of adversarial attacks and defences for machine learning algorithms which makes assessing the robustness of an algorithm a daunting task. Moreover, there is an intrinsic bias in these adversarial attacks and defences to make matters worse. Here, we organise the problems faced: a) Model Dependence, b) Insufficient Evaluation, c) False Adversarial Samples, and d) Perturbation Dependent Results. Based on this, we propose a model agnostic adversarial robustness assessment method based on L0 and L∞ distance-based norms and the concept of robustness levels to tackle the problems. We validate our robustness assessment on several neural network architectures (WideResNet, ResNet, AllConv, DenseNet, NIN, LeNet and CapsNet) and adversarial defences for image classification problem. The proposed robustness assessment reveals that the robustness may vary significantly depending on the metric used (i.e., L0 or L∞). Hence, the duality should be taken into account for a correct evaluation. Moreover, a mathematical derivation and a counter-example suggest that L1 and L2 metrics alone are not sufficient to avoid spurious adversarial samples. Interestingly, the threshold attack of the proposed assessment is a novel L∞ black-box adversarial method which requires even more minor perturbation than the One-Pixel Attack (only 12% of One-Pixel Attack’s amount of perturbation) to achieve similar results. We further show that all current networks and defences are vulnerable at all levels of robustness, suggesting that current networks and defences are only effective against a few attacks keeping the models vulnerable to different types of attacks.
APA, Harvard, Vancouver, ISO, and other styles
28

Khan, Sarwar, Jun-Cheng Chen, Wen-Hung Liao, and Chu-Song Chen. "Towards Adversarial Robustness for Multi-Mode Data through Metric Learning." Sensors 23, no. 13 (July 5, 2023): 6173. http://dx.doi.org/10.3390/s23136173.

Full text
Abstract:
Adversarial attacks have become one of the most serious security issues in widely used deep neural networks. Even though real-world datasets usually have large intra-variations or multiple modes, most adversarial defense methods, such as adversarial training, which is currently one of the most effective defense methods, mainly focus on the single-mode setting and thus fail to capture the full data representation to defend against adversarial attacks. To confront this challenge, we propose a novel multi-prototype metric learning regularization for adversarial training which can effectively enhance the defense capability of adversarial training by preventing the latent representation of the adversarial example changing a lot from its clean one. With extensive experiments on CIFAR10, CIFAR100, MNIST, and Tiny ImageNet, the evaluation results show the proposed method improves the performance of different state-of-the-art adversarial training methods without additional computational cost. Furthermore, besides Tiny ImageNet, in the multi-prototype CIFAR10 and CIFAR100 where we reorganize the whole datasets of CIFAR10 and CIFAR100 into two and ten classes, respectively, the proposed method outperforms the state-of-the-art approach by 2.22% and 1.65%, respectively. Furthermore, the proposed multi-prototype method also outperforms its single-prototype version and other commonly used deep metric learning approaches as regularization for adversarial training and thus further demonstrates its effectiveness.
APA, Harvard, Vancouver, ISO, and other styles
29

Hong, Junyuan, Haotao Wang, Zhangyang Wang, and Jiayu Zhou. "Federated Robustness Propagation: Sharing Adversarial Robustness in Heterogeneous Federated Learning." Proceedings of the AAAI Conference on Artificial Intelligence 37, no. 7 (June 26, 2023): 7893–901. http://dx.doi.org/10.1609/aaai.v37i7.25955.

Full text
Abstract:
Federated learning (FL) emerges as a popular distributed learning schema that learns a model from a set of participating users without sharing raw data. One major challenge of FL comes with heterogeneous users, who may have distributionally different (or non-iid) data and varying computation resources. As federated users would use the model for prediction, they often demand the trained model to be robust against malicious attackers at test time. Whereas adversarial training (AT) provides a sound solution for centralized learning, extending its usage for federated users has imposed significant challenges, as many users may have very limited training data and tight computational budgets, to afford the data-hungry and costly AT. In this paper, we study a novel FL strategy: propagating adversarial robustness from rich-resource users that can afford AT, to those with poor resources that cannot afford it, during federated learning. We show that existing FL techniques cannot be effectively integrated with the strategy to propagate robustness among non-iid users and propose an efficient propagation approach by the proper use of batch-normalization. We demonstrate the rationality and effectiveness of our method through extensive experiments. Especially, the proposed method is shown to grant federated models remarkable robustness even when only a small portion of users afford AT during learning. Source code can be accessed at https://github.com/illidanlab/FedRBN.
APA, Harvard, Vancouver, ISO, and other styles
30

Agarwal, Akshay, Mayank Vatsa, and Richa Singh. "Role of Optimizer on Network Fine-tuning for Adversarial Robustness (Student Abstract)." Proceedings of the AAAI Conference on Artificial Intelligence 35, no. 18 (May 18, 2021): 15745–46. http://dx.doi.org/10.1609/aaai.v35i18.17869.

Full text
Abstract:
The solutions proposed in the literature for adversarial robustness are either not effective against the challenging gradient-based attacks or are computationally demanding, such as adversarial training. Adversarial training or network training based data augmentation shows the potential to increase the adversarial robustness. While the training seems compelling, it is not feasible for resource-constrained institutions, especially academia, to train the network from scratch multiple times. The two fold contributions are: (i) providing an effective solution against white-box adversarial attacks via network fine-tuning steps and (ii) observing the role of different optimizers towards robustness. Extensive experiments are performed on a range of databases, including Fashion-MNIST and a subset of ImageNet. It is found that the few steps of network fine-tuning effectively increases the robustness of both shallow and deep architectures. To know other interesting observations, especially regarding the role of the optimizer, refer to the paper.
APA, Harvard, Vancouver, ISO, and other styles
31

Imam, Niddal H., and Vassilios G. Vassilakis. "A Survey of Attacks Against Twitter Spam Detectors in an Adversarial Environment." Robotics 8, no. 3 (July 4, 2019): 50. http://dx.doi.org/10.3390/robotics8030050.

Full text
Abstract:
Online Social Networks (OSNs), such as Facebook and Twitter, have become a very important part of many people’s daily lives. Unfortunately, the high popularity of these platforms makes them very attractive to spammers. Machine learning (ML) techniques have been widely used as a tool to address many cybersecurity application problems (such as spam and malware detection). However, most of the proposed approaches do not consider the presence of adversaries that target the defense mechanism itself. Adversaries can launch sophisticated attacks to undermine deployed spam detectors either during training or the prediction (test) phase. Not considering these adversarial activities at the design stage makes OSNs’ spam detectors vulnerable to a range of adversarial attacks. Thus, this paper surveys the attacks against Twitter spam detectors in an adversarial environment, and a general taxonomy of potential adversarial attacks is presented using common frameworks from the literature. Examples of adversarial activities on Twitter that were discovered after observing Arabic trending hashtags are discussed in detail. A new type of spam tweet (adversarial spam tweet), which can be used to undermine a deployed classifier, is examined. In addition, possible countermeasures that could increase the robustness of Twitter spam detectors to such attacks are investigated.
APA, Harvard, Vancouver, ISO, and other styles
32

Chen, Hanjie, and Yangfeng Ji. "Adversarial Training for Improving Model Robustness? Look at Both Prediction and Interpretation." Proceedings of the AAAI Conference on Artificial Intelligence 36, no. 10 (June 28, 2022): 10463–72. http://dx.doi.org/10.1609/aaai.v36i10.21289.

Full text
Abstract:
Neural language models show vulnerability to adversarial examples which are semantically similar to their original counterparts with a few words replaced by their synonyms. A common way to improve model robustness is adversarial training which follows two steps—collecting adversarial examples by attacking a target model, and fine-tuning the model on the augmented dataset with these adversarial examples. The objective of traditional adversarial training is to make a model produce the same correct predictions on an original/adversarial example pair. However, the consistency between model decision-makings on two similar texts is ignored. We argue that a robust model should behave consistently on original/adversarial example pairs, that is making the same predictions (what) based on the same reasons (how) which can be reflected by consistent interpretations. In this work, we propose a novel feature-level adversarial training method named FLAT. FLAT aims at improving model robustness in terms of both predictions and interpretations. FLAT incorporates variational word masks in neural networks to learn global word importance and play as a bottleneck teaching the model to make predictions based on important words. FLAT explicitly shoots at the vulnerability problem caused by the mismatch between model understandings on the replaced words and their synonyms in original/adversarial example pairs by regularizing the corresponding global word importance scores. Experiments show the effectiveness of FLAT in improving the robustness with respect to both predictions and interpretations of four neural network models (LSTM, CNN, BERT, and DeBERTa) to two adversarial attacks on four text classification tasks. The models trained via FLAT also show better robustness than baseline models on unforeseen adversarial examples across different attacks.
APA, Harvard, Vancouver, ISO, and other styles
33

Chen, Jinghui, Yu Cheng, Zhe Gan, Quanquan Gu, and Jingjing Liu. "Efficient Robust Training via Backward Smoothing." Proceedings of the AAAI Conference on Artificial Intelligence 36, no. 6 (June 28, 2022): 6222–30. http://dx.doi.org/10.1609/aaai.v36i6.20571.

Full text
Abstract:
Adversarial training is so far the most effective strategy in defending against adversarial examples. However, it suffers from high computational costs due to the iterative adversarial attacks in each training step. Recent studies show that it is possible to achieve fast Adversarial Training by performing a single-step attack with random initialization. However, such an approach still lags behind state-of-the-art adversarial training algorithms on both stability and model robustness. In this work, we develop a new understanding towards Fast Adversarial Training, by viewing random initialization as performing randomized smoothing for better optimization of the inner maximization problem. Following this new perspective, we also propose a new initialization strategy, backward smoothing, to further improve the stability and model robustness over single-step robust training methods. Experiments on multiple benchmarks demonstrate that our method achieves similar model robustness as the original TRADES method while using much less training time (~3x improvement with the same training schedule).
APA, Harvard, Vancouver, ISO, and other styles
34

Chen, Pin-Yu, and Sijia Liu. "Holistic Adversarial Robustness of Deep Learning Models." Proceedings of the AAAI Conference on Artificial Intelligence 37, no. 13 (June 26, 2023): 15411–20. http://dx.doi.org/10.1609/aaai.v37i13.26797.

Full text
Abstract:
Adversarial robustness studies the worst-case performance of a machine learning model to ensure safety and reliability. With the proliferation of deep-learning-based technology, the potential risks associated with model development and deployment can be amplified and become dreadful vulnerabilities. This paper provides a comprehensive overview of research topics and foundational principles of research methods for adversarial robustness of deep learning models, including attacks, defenses, verification, and novel applications.
APA, Harvard, Vancouver, ISO, and other styles
35

Xu, Yanjie, Hao Sun, Jin Chen, Lin Lei, Kefeng Ji, and Gangyao Kuang. "Adversarial Self-Supervised Learning for Robust SAR Target Recognition." Remote Sensing 13, no. 20 (October 17, 2021): 4158. http://dx.doi.org/10.3390/rs13204158.

Full text
Abstract:
Synthetic aperture radar (SAR) can perform observations at all times and has been widely used in the military field. Deep neural network (DNN)-based SAR target recognition models have achieved great success in recent years. Yet, the adversarial robustness of these models has received far less academic attention in the remote sensing community. In this article, we first present a comprehensive adversarial robustness evaluation framework for DNN-based SAR target recognition. Both data-oriented metrics and model-oriented metrics have been used to fully assess the recognition performance under adversarial scenarios. Adversarial training is currently one of the most successful methods to improve the adversarial robustness of DNN models. However, it requires class labels to generate adversarial attacks and suffers significant accuracy dropping on testing data. To address these problems, we introduced adversarial self-supervised learning into SAR target recognition for the first time and proposed a novel unsupervised adversarial contrastive learning-based defense method. Specifically, we utilize a contrastive learning framework to train a robust DNN with unlabeled data, which aims to maximize the similarity of representations between a random augmentation of a SAR image and its unsupervised adversarial example. Extensive experiments on two SAR image datasets demonstrate that defenses based on adversarial self-supervised learning can obtain comparable robust accuracy over state-of-the-art supervised adversarial learning methods.
APA, Harvard, Vancouver, ISO, and other styles
36

Wu, Hongqiu, Ruixue Ding, Hai Zhao, Pengjun Xie, Fei Huang, and Min Zhang. "Adversarial Self-Attention for Language Understanding." Proceedings of the AAAI Conference on Artificial Intelligence 37, no. 11 (June 26, 2023): 13727–35. http://dx.doi.org/10.1609/aaai.v37i11.26608.

Full text
Abstract:
Deep neural models (e.g. Transformer) naturally learn spurious features, which create a ``shortcut'' between the labels and inputs, thus impairing the generalization and robustness. This paper advances self-attention mechanism to its robust variant for Transformer-based pre-trained language models (e.g. BERT). We propose Adversarial Self-Attention mechanism (ASA), which adversarially biases the attentions to effectively suppress the model reliance on features (e.g. specific keywords) and encourage its exploration of broader semantics. We conduct comprehensive evaluation across a wide range of tasks for both pre-training and fine-tuning stages. For pre-training, ASA unfolds remarkable performance gain compared to naive training for longer steps. For fine-tuning, ASA-empowered models outweigh naive models by a large margin considering both generalization and robustness.
APA, Harvard, Vancouver, ISO, and other styles
37

Ying, Chao Ma &. Lexing. "Achieving Adversarial Robustness Requires An Active Teacher." Journal of Computational Mathematics 39, no. 6 (June 2021): 880–96. http://dx.doi.org/10.4208/jcm.2105-m2020-0310.

Full text
APA, Harvard, Vancouver, ISO, and other styles
38

Hassanin, Mohammed, Nour Moustafa, Murat Tahtali, and Kim-Kwang Raymond Choo. "Rethinking maximum-margin softmax for adversarial robustness." Computers & Security 116 (May 2022): 102640. http://dx.doi.org/10.1016/j.cose.2022.102640.

Full text
APA, Harvard, Vancouver, ISO, and other styles
39

Lai, Lifeng, and Erhan Bayraktar. "On the Adversarial Robustness of Robust Estimators." IEEE Transactions on Information Theory 66, no. 8 (August 2020): 5097–109. http://dx.doi.org/10.1109/tit.2020.2985966.

Full text
APA, Harvard, Vancouver, ISO, and other styles
40

Shi, Yucheng, Yahong Han, Quanxin Zhang, and Xiaohui Kuang. "Adaptive iterative attack towards explainable adversarial robustness." Pattern Recognition 105 (September 2020): 107309. http://dx.doi.org/10.1016/j.patcog.2020.107309.

Full text
APA, Harvard, Vancouver, ISO, and other styles
41

Finlay, Chris, and Adam M. Oberman. "Scaleable input gradient regularization for adversarial robustness." Machine Learning with Applications 3 (March 2021): 100017. http://dx.doi.org/10.1016/j.mlwa.2020.100017.

Full text
APA, Harvard, Vancouver, ISO, and other styles
42

Li, Fuwei, Lifeng Lai, and Shuguang Cui. "On the Adversarial Robustness of Subspace Learning." IEEE Transactions on Signal Processing 68 (2020): 1470–83. http://dx.doi.org/10.1109/tsp.2020.2974676.

Full text
APA, Harvard, Vancouver, ISO, and other styles
43

Li, Tianlin, Aishan Liu, Xianglong Liu, Yitao Xu, Chongzhi Zhang, and Xiaofei Xie. "Understanding adversarial robustness via critical attacking route." Information Sciences 547 (February 2021): 568–78. http://dx.doi.org/10.1016/j.ins.2020.08.043.

Full text
APA, Harvard, Vancouver, ISO, and other styles
44

Fawzi, Alhussein, Omar Fawzi, and Pascal Frossard. "Analysis of classifiers’ robustness to adversarial perturbations." Machine Learning 107, no. 3 (August 25, 2017): 481–508. http://dx.doi.org/10.1007/s10994-017-5663-3.

Full text
APA, Harvard, Vancouver, ISO, and other styles
45

Dong, Junhao, Lingxiao Yang, Yuan Wang, Xiaohua Xie, and Jianhuang Lai. "Toward Intrinsic Adversarial Robustness Through Probabilistic Training." IEEE Transactions on Image Processing 32 (2023): 3862–72. http://dx.doi.org/10.1109/tip.2023.3290532.

Full text
APA, Harvard, Vancouver, ISO, and other styles
46

Phan, Huy, Yi Xie, Siyu Liao, Jie Chen, and Bo Yuan. "CAG: A Real-Time Low-Cost Enhanced-Robustness High-Transferability Content-Aware Adversarial Attack Generator." Proceedings of the AAAI Conference on Artificial Intelligence 34, no. 04 (April 3, 2020): 5412–19. http://dx.doi.org/10.1609/aaai.v34i04.5990.

Full text
Abstract:
Deep neural networks (DNNs) are vulnerable to adversarial attack despite their tremendous success in many artificial intelligence fields. Adversarial attack is a method that causes the intended misclassfication by adding imperceptible perturbations to legitimate inputs. To date, researchers have developed numerous types of adversarial attack methods. However, from the perspective of practical deployment, these methods suffer from several drawbacks such as long attack generating time, high memory cost, insufficient robustness and low transferability. To address the drawbacks, we propose a Content-aware Adversarial Attack Generator (CAG) to achieve real-time, low-cost, enhanced-robustness and high-transferability adversarial attack. First, as a type of generative model-based attack, CAG shows significant speedup (at least 500 times) in generating adversarial examples compared to the state-of-the-art attacks such as PGD and C&W. Furthermore, CAG only needs a single generative model to perform targeted attack to any targeted class. Because CAG encodes the label information into a trainable embedding layer, it differs from prior generative model-based adversarial attacks that use n different copies of generative models for n different targeted classes. As a result, CAG significantly reduces the required memory cost for generating adversarial examples. Moreover, CAG can generate adversarial perturbations that focus on the critical areas of input by integrating the class activation maps information in the training process, and hence improve the robustness of CAG attack against the state-of-art adversarial defenses. In addition, CAG exhibits high transferability across different DNN classifier models in black-box attack scenario by introducing random dropout in the process of generating perturbations. Extensive experiments on different datasets and DNN models have verified the real-time, low-cost, enhanced-robustness, and high-transferability benefits of CAG.
APA, Harvard, Vancouver, ISO, and other styles
47

Jeong, Jongheon, Seojin Kim, and Jinwoo Shin. "Confidence-Aware Training of Smoothed Classifiers for Certified Robustness." Proceedings of the AAAI Conference on Artificial Intelligence 37, no. 7 (June 26, 2023): 8005–13. http://dx.doi.org/10.1609/aaai.v37i7.25968.

Full text
Abstract:
Any classifier can be "smoothed out" under Gaussian noise to build a new classifier that is provably robust to l2-adversarial perturbations, viz., by averaging its predictions over the noise via randomized smoothing. Under the smoothed classifiers, the fundamental trade-off between accuracy and (adversarial) robustness has been well evidenced in the literature: i.e., increasing the robustness of a classifier for an input can be at the expense of decreased accuracy for some other inputs. In this paper, we propose a simple training method leveraging this trade-off to obtain robust smoothed classifiers, in particular, through a sample-wise control of robustness over the training samples. We make this control feasible by using "accuracy under Gaussian noise" as an easy-to-compute proxy of adversarial robustness for an input. Specifically, we differentiate the training objective depending on this proxy to filter out samples that are unlikely to benefit from the worst-case (adversarial) objective. Our experiments show that the proposed method, despite its simplicity, consistently exhibits improved certified robustness upon state-of-the-art training methods. Somewhat surprisingly, we find these improvements persist even for other notions of robustness, e.g., to various types of common corruptions. Code is available at https://github.com/alinlab/smoothing-catrs.
APA, Harvard, Vancouver, ISO, and other styles
48

Chen, Xu, Chuancai Liu, Yue Zhao, Zhiyang Jia, and Ge Jin. "Improving adversarial robustness of Bayesian neural networks via multi-task adversarial training." Information Sciences 592 (May 2022): 156–73. http://dx.doi.org/10.1016/j.ins.2022.01.051.

Full text
APA, Harvard, Vancouver, ISO, and other styles
49

Ma, Linhai, and Liang Liang. "Increasing-Margin Adversarial (IMA) training to improve adversarial robustness of neural networks." Computer Methods and Programs in Biomedicine 240 (October 2023): 107687. http://dx.doi.org/10.1016/j.cmpb.2023.107687.

Full text
APA, Harvard, Vancouver, ISO, and other styles
50

Sun, Liting, Da Ke, Xiang Wang, Zhitao Huang, and Kaizhu Huang. "Robustness of Deep Learning-Based Specific Emitter Identification under Adversarial Attacks." Remote Sensing 14, no. 19 (October 7, 2022): 4996. http://dx.doi.org/10.3390/rs14194996.

Full text
Abstract:
Deep learning (DL)-based specific emitter identification (SEI) technique can automatically extract radio frequency (RF) fingerprint features in RF signals to distinguish between legal and illegal devices and enhance the security of wireless network. However, deep neural network (DNN) can easily be fooled by adversarial examples or perturbations of the input data. If a malicious device emits signals containing a specially designed adversarial samples, will the DL-based SEI still work stably to correctly identify the malicious device? To the best of our knowledge, this research is still blank, let alone the corresponding defense methods. Therefore, this paper designs two scenarios of attack and defense and proposes the corresponding implementation methods to specializes in the robustness of DL-based SEI under adversarial attacks. On this basis, detailed experiments are carried out based on the real-world data and simulation data. The attack scenario is that the malicious device adds an adversarial perturbation signal specially designed to the original signal, misleading the original system to make a misjudgment. Experiments based on three different attack generation methods show that DL-based SEI is very vulnerability. Even if the intensity is very low, without affecting the probability density distribution of the original signal, the performance can be reduced to about 50%, and at −22 dB it is completely invalid. In the defense scenario, the adversarial training (AT) of DL-based SEI is added, which can significantly improve the system’s performance under adversarial attacks, with ≥60% improvement in the recognition rate compared to the network without AT. Further, AT has a more robust effect on white noise. This study fills the relevant gaps and provides guidance for future research. In the future research, the impact of adversarial attacks must be considered, and it is necessary to add adversarial training in the training process.
APA, Harvard, Vancouver, ISO, and other styles
You might also be interested in the bibliographies on the topic 'Adversarial robustness' for other source types:
Dissertations / Theses
We offer discounts on all premium plans for authors whose works are included in thematic literature selections. Contact us to get a unique promo code!

To the bibliography