Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
139 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
46 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Optimal Zero-Shot Detector for Multi-Armed Attacks (2402.15808v2)

Published 24 Feb 2024 in cs.LG, cs.AI, and cs.CR

Abstract: This paper explores a scenario in which a malicious actor employs a multi-armed attack strategy to manipulate data samples, offering them various avenues to introduce noise into the dataset. Our central objective is to protect the data by detecting any alterations to the input. We approach this defensive strategy with utmost caution, operating in an environment where the defender possesses significantly less information compared to the attacker. Specifically, the defender is unable to utilize any data samples for training a defense model or verifying the integrity of the channel. Instead, the defender relies exclusively on a set of pre-existing detectors readily available "off the shelf". To tackle this challenge, we derive an innovative information-theoretic defense approach that optimally aggregates the decisions made by these detectors, eliminating the need for any training data. We further explore a practical use-case scenario for empirical evaluation, where the attacker possesses a pre-trained classifier and launches well-known adversarial attacks against it. Our experiments highlight the effectiveness of our proposed solution, even in scenarios that deviate from the optimal setup.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (48)
  1. What’s in the box: Deflecting adversarial attacks by randomly deploying adversarially-disjoint models. In Jaeger, T. and Qian, Z., editors, MTD@CCS 2021: Proceedings of the 8th ACM Workshop on Moving Target Defense, Virtual Event, Republic of Korea, 15 November 2021, pages 3–12. ACM.
  2. Adversarial example detection for dnn models: A review and experimental comparison. Artificial Intelligence Review.
  3. Square attack: A query-efficient black-box adversarial attack via random search. In Vedaldi, A., Bischof, H., Brox, T., and Frahm, J., editors, Computer Vision - ECCV 2020 - 16th European Conference, Glasgow, UK, August 23-28, 2020, Proceedings, Part XXIII, volume 12368 of Lecture Notes in Computer Science, pages 484–501. Springer.
  4. Arimoto, S. (1972). An algorithm for computing the capacity of arbitrary discrete memoryless channels. IEEE Trans. Inf. Theory, 18(1):14–20.
  5. The minimum description length principle in coding and modeling. IEEE Trans. Inf. Theory, 44(6):2743–2760.
  6. A theory of learning from different domains. Mach. Learn., 79(1-2):151–175.
  7. Evading adversarial example detection defenses with orthogonal projected gradient descent. CoRR, abs/2106.15023.
  8. (certified!!) adversarial robustness for free! In The Eleventh International Conference on Learning Representations, ICLR 2023, Kigali, Rwanda, May 1-5, 2023. OpenReview.net.
  9. Adversarial examples are not easily detected: Bypassing ten detection methods. In Thuraisingham, B., Biggio, B., Freeman, D. M., Miller, B., and Sinha, A., editors, Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security, AISec@CCS 2017, Dallas, TX, USA, November 3, 2017, pages 3–14. ACM.
  10. Magnet and "efficient defenses against adversarial attacks" are not robust to adversarial examples. CoRR, abs/1711.08478.
  11. Towards evaluating the robustness of neural networks. In 2017 IEEE Symposium on Security and Privacy, SP 2017, San Jose, CA, USA, May 22-26, 2017, pages 39–57. IEEE Computer Society.
  12. Hopskipjumpattack: A query-efficient decision-based attack. In 2020 IEEE Symposium on Security and Privacy, SP 2020, San Francisco, CA, USA, May 18-21, 2020, pages 1277–1294. IEEE.
  13. Certified adversarial robustness via randomized smoothing. In Chaudhuri, K. and Salakhutdinov, R., editors, Proceedings of the 36th International Conference on Machine Learning, ICML 2019, 9-15 June 2019, Long Beach, California, USA, volume 97 of Proceedings of Machine Learning Research, pages 1310–1320. PMLR.
  14. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In Proceedings of the 37th International Conference on Machine Learning, ICML 2020, 13-18 July 2020, Virtual Event, volume 119 of Proceedings of Machine Learning Research, pages 2206–2216. PMLR.
  15. The relationship between precision-recall and roc curves. In Proceedings of the 23rd international conference on Machine learning, pages 233–240.
  16. The lipschitz-variance-margin tradeoff for enhanced randomized smoothing.
  17. Exploring the landscape of spatial robustness. In Chaudhuri, K. and Salakhutdinov, R., editors, Proceedings of the 36th International Conference on Machine Learning, ICML 2019, 9-15 June 2019, Long Beach, California, USA, volume 97 of Proceedings of Machine Learning Research, pages 1802–1811. PMLR.
  18. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572.
  19. Explaining and harnessing adversarial examples. In Bengio, Y. and LeCun, Y., editors, 3rd International Conference on Learning Representations, ICLR 2015, San Diego, CA, USA, May 7-9, 2015, Conference Track Proceedings.
  20. MEAD: A multi-armed approach for evaluation of adversarial examples detectors. In European Conference on Machine Learning and Principles and Practice of Knowledge Discovery in Databases (ECML PKDD 2022), Grenoble, France, September 23, 2022.
  21. DOCTOR: A simple method for detecting misclassification errors. In Ranzato, M., Beygelzimer, A., Dauphin, Y. N., Liang, P., and Vaughan, J. W., editors, Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2021, NeurIPS 2021, December 6-14, 2021, virtual, pages 5669–5681.
  22. Jamming and anti-jamming techniques in wireless networks: a survey. Int. J. Ad Hoc Ubiquitous Comput., 17(4):197–215.
  23. Testing robustness against unforeseen adversaries. arXiv preprint arXiv:1908.08016.
  24. Secure routing in wireless sensor networks: attacks and countermeasures. In Proceedings of the First IEEE International Workshop on Sensor Network Protocols and Applications, 2003., pages 113–127.
  25. Detection of adversarial examples in deep neural networks with natural scene statistics. In 2020 International Joint Conference on Neural Networks, IJCNN 2020, Glasgow, United Kingdom, July 19-24, 2020, pages 1–7. IEEE.
  26. Krizhevsky, A. (2009). Learning multiple layers of features from tiny images. Technical report.
  27. Adversarial examples in the physical world. In 5th International Conference on Learning Representations, ICLR 2017, Toulon, France, April 24-26, 2017, Workshop Track Proceedings.
  28. Improved, deterministic smoothing for l11{}_{\mbox{1}}start_FLOATSUBSCRIPT 1 end_FLOATSUBSCRIPT certified robustness. In Meila, M. and Zhang, T., editors, Proceedings of the 38th International Conference on Machine Learning, ICML 2021, 18-24 July 2021, Virtual Event, volume 139 of Proceedings of Machine Learning Research, pages 6254–6264. PMLR.
  29. Towards deep learning models resistant to adversarial attacks. In 6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, April 30 - May 3, 2018, Conference Track Proceedings.
  30. Deepfool: A simple and accurate method to fool deep neural networks. In 2016 IEEE Conference on Computer Vision and Pattern Recognition, CVPR 2016, Las Vegas, NV, USA, June 27-30, 2016, pages 2574–2582. IEEE Computer Society.
  31. Certified adversarial robustness within multiple perturbation bounds. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2023 - Workshops, Vancouver, BC, Canada, June 17-24, 2023, pages 2298–2305. IEEE.
  32. Reading digits in natural images with unsupervised feature learning. In NIPS Workshop on Deep Learning and Unsupervised Feature Learning 2011.
  33. Adversarial examples might be avoidable: The role of data concentration in adversarial robustness.
  34. A game theoretic analysis of additive adversarial attacks and defenses. In Larochelle, H., Ranzato, M., Hadsell, R., Balcan, M., and Lin, H., editors, Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6-12, 2020, virtual.
  35. Two coupled rejection metrics can tell adversarial examples apart. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2022, New Orleans, LA, USA, June 18-24, 2022, pages 15202–15212. IEEE.
  36. Security in wireless sensor networks. Communications of the ACM, 47(6):53–57.
  37. Adversarial robustness via fisher-rao regularization. IEEE Transactions on Pattern Analysis & Machine Intelligence.
  38. Certified defenses against adversarial examples. In 6th International Conference on Learning Representations, ICLR 2018, Vancouver, BC, Canada, April 30 - May 3, 2018, Conference Track Proceedings. OpenReview.net.
  39. A general framework for detecting anomalous inputs to DNN classifiers. In Meila, M. and Zhang, T., editors, Proceedings of the 38th International Conference on Machine Learning, ICML 2021, 18-24 July 2021, Virtual Event, volume 139 of Proceedings of Machine Learning Research, pages 8764–8775. PMLR.
  40. Adversarial attacks on deep-learning based radio signal classification. IEEE Wireless Communications Letters, 8(1):213–216.
  41. Slivkins, A. et al. (2019). Introduction to multi-armed bandits. Foundations and Trends® in Machine Learning, 12(1-2):1–286.
  42. Intriguing properties of neural networks. In Bengio, Y. and LeCun, Y., editors, 2nd International Conference on Learning Representations, ICLR 2014, Banff, AB, Canada, April 14-16, 2014, Conference Track Proceedings.
  43. Adversarial attacks and defenses for digital communication signals identification. Digital Communications and Networks.
  44. On adaptive attacks to adversarial example defenses. In Larochelle, H., Ranzato, M., Hadsell, R., Balcan, M., and Lin, H., editors, Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, NeurIPS 2020, December 6-12, 2020, virtual.
  45. Accelerating certified robustness training via knowledge transfer. In NeurIPS.
  46. von Neumann, J. (1928). Zur theorie der gesellschaftsspiele. Mathematische Annalen, 100:295–320.
  47. Feature squeezing: Detecting adversarial examples in deep neural networks. In 25th Annual Network and Distributed System Security Symposium, NDSS 2018, San Diego, California, USA, February 18-21, 2018. The Internet Society.
  48. Increasing confidence in adversarial robustness evaluations. CoRR, abs/2206.13991.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now