Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
162 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Exploring the Adversarial Frontier: Quantifying Robustness via Adversarial Hypervolume (2403.05100v2)

Published 8 Mar 2024 in cs.CR, cs.AI, cs.CV, and cs.LG

Abstract: The escalating threat of adversarial attacks on deep learning models, particularly in security-critical fields, has underscored the need for robust deep learning systems. Conventional robustness evaluations have relied on adversarial accuracy, which measures a model's performance under a specific perturbation intensity. However, this singular metric does not fully encapsulate the overall resilience of a model against varying degrees of perturbation. To address this gap, we propose a new metric termed adversarial hypervolume, assessing the robustness of deep learning models comprehensively over a range of perturbation intensities from a multi-objective optimization standpoint. This metric allows for an in-depth comparison of defense mechanisms and recognizes the trivial improvements in robustness afforded by less potent defensive strategies. Additionally, we adopt a novel training algorithm that enhances adversarial robustness uniformly across various perturbation intensities, in contrast to methods narrowly focused on optimizing adversarial accuracy. Our extensive empirical studies validate the effectiveness of the adversarial hypervolume metric, demonstrating its ability to reveal subtle differences in robustness that adversarial accuracy overlooks. This research contributes a new measure of robustness and establishes a standard for assessing and benchmarking the resilience of current and future defensive models against adversarial threats.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (51)
  1. A. Madry, A. Makelov, L. Schmidt, D. Tsipras, and A. Vladu, “Towards deep learning models resistant to adversarial attacks,” in 6th International Conference on Learning Representations, (ICLR).   OpenReview.net, 2018.
  2. M. Ren, W. Zeng, B. Yang, and R. Urtasun, “Learning to reweight examples for robust deep learning,” in Proceedings of the 35th International Conference on Machine Learning, (ICML), ser. Proceedings of Machine Learning Research.   PMLR, 2018.
  3. H. Salman, J. Li, I. P. Razenshteyn, P. Zhang, H. Zhang, S. Bubeck, and G. Yang, “Provably robust deep learning via adversarially trained smoothed classifiers,” in Advances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, (NeurIPS), 2019.
  4. Y. Dong, Z. Deng, T. Pang, J. Zhu, and H. Su, “Adversarial distributional training for robust deep learning,” in Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, (NeurIPS), 2020.
  5. K. Sadeghi, A. Banerjee, and S. K. S. Gupta, “A system-driven taxonomy of attacks and defenses in adversarial machine learning,” IEEE Trans. Emerg. Top. Comput. Intell., vol. 4, no. 4, pp. 450–467, 2020. [Online]. Available: https://doi.org/10.1109/TETCI.2020.2968933
  6. C. Szegedy, W. Zaremba, I. Sutskever, J. Bruna, D. Erhan, I. J. Goodfellow, and R. Fergus, “Intriguing properties of neural networks,” in 2nd International Conference on Learning Representations (ICLR), 2014.
  7. I. J. Goodfellow, J. Shlens, and C. Szegedy, “Explaining and harnessing adversarial examples,” in 3rd International Conference on Learning Representations, (ICLR), 2015.
  8. A. Kurakin, I. J. Goodfellow, and S. Bengio, “Adversarial examples in the physical world,” in 5th International Conference on Learning Representations, ICLR.   OpenReview.net, 2017.
  9. Y. Dong, H. Su, B. Wu, Z. Li, W. Liu, T. Zhang, and J. Zhu, “Efficient decision-based black-box adversarial attacks on face recognition,” in IEEE Conference on Computer Vision and Pattern Recognition, CVPR.   Computer Vision Foundation / IEEE, 2019.
  10. Y. Cao, C. Xiao, B. Cyr, Y. Zhou, W. Park, S. Rampazzi, Q. A. Chen, K. Fu, and Z. M. Mao, “Adversarial sensor attack on lidar-based perception in autonomous driving,” in Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, (CCS).   ACM, 2019.
  11. N. Carlini and D. A. Wagner, “Towards evaluating the robustness of neural networks,” in 2017 IEEE Symposium on Security and Privacy, SP.   IEEE Computer Society, 2017.
  12. A. Athalye, N. Carlini, and D. A. Wagner, “Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples,” in Proceedings of the 35th International Conference on Machine Learning, ICML, ser. Proceedings of Machine Learning Research.   PMLR, 2018.
  13. S. Moosavi-Dezfooli, A. Fawzi, and P. Frossard, “Deepfool: A simple and accurate method to fool deep neural networks,” in 2016 IEEE Conference on Computer Vision and Pattern Recognition, (CVPR).   IEEE Computer Society, 2016.
  14. F. Croce and M. Hein, “Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks,” in Proceedings of the 37th International Conference on Machine Learning, (ICML), ser. Proceedings of Machine Learning Research.   PMLR, 2020.
  15. M. Andriushchenko, F. Croce, N. Flammarion, and M. Hein, “Square attack: A query-efficient black-box adversarial attack via random search,” in Computer Vision - ECCV 2020 - 16th European Conference, Glasgow, UK, ser. Lecture Notes in Computer Science.   Springer, 2020.
  16. F. Croce, M. Andriushchenko, V. Sehwag, E. Debenedetti, N. Flammarion, M. Chiang, P. Mittal, and M. Hein, “Robustbench: a standardized adversarial robustness benchmark,” in Proceedings of the Neural Information Processing Systems Track on Datasets and Benchmarks 1, NeurIPS Datasets and Benchmarks 2021, 2021.
  17. A. Robey, L. F. O. Chamon, G. J. Pappas, and H. Hassani, “Probabilistically robust learning: Balancing average and worst-case performance,” in International Conference on Machine Learning, (ICML), ser. Proceedings of Machine Learning Research.   PMLR, 2022.
  18. R. Olivier and B. Raj, “How many perturbations break this model? evaluating robustness beyond adversarial accuracy,” in International Conference on Machine Learning, (ICML), ser. Proceedings of Machine Learning Research.   PMLR, 2023.
  19. W. Xu, D. Evans, and Y. Qi, “Feature squeezing: Detecting adversarial examples in deep neural networks,” in 25th Annual Network and Distributed System Security Symposium, NDSS.   The Internet Society, 2018.
  20. J. Bader and E. Zitzler, “Hype: An algorithm for fast hypervolume-based many-objective optimization,” Evol. Comput., 2011.
  21. K. Deb, K. Sindhya, and J. Hakanen, “Multi-objective optimization,” in Decision sciences.   CRC Press, 2016, pp. 161–200.
  22. K. Deb, S. Agrawal, A. Pratap, and T. Meyarivan, “A fast and elitist multiobjective genetic algorithm: NSGA-II,” IEEE Trans. Evol. Comput., 2002.
  23. Q. Zhang and H. Li, “MOEA/D: A multiobjective evolutionary algorithm based on decomposition,” IEEE Trans. Evol. Comput., 2007.
  24. N. Akhtar and A. S. Mian, “Threat of adversarial attacks on deep learning in computer vision: A survey,” IEEE Access, 2018.
  25. G. R. Machado, E. Silva, and R. R. Goldschmidt, “Adversarial machine learning in image classification: A survey toward the defender’s perspective,” ACM Comput. Surv., 2023.
  26. B. Li, P. Qi, B. Liu, S. Di, J. Liu, J. Pei, J. Yi, and B. Zhou, “Trustworthy AI: from principles to practices,” ACM Comput. Surv., 2023.
  27. S. Bhambri, S. Muku, A. Tulasi, and A. B. Buduru, “A survey of black-box adversarial attacks on computer vision models,” arXiv preprint arXiv:1912.01667, 2019.
  28. Z. Li, H. Cheng, X. Cai, J. Zhao, and Q. Zhang, “SA-ES: subspace activation evolution strategy for black-box adversarial attacks,” IEEE Trans. Emerg. Top. Comput. Intell., vol. 7, no. 3, pp. 780–790, 2023. [Online]. Available: https://doi.org/10.1109/TETCI.2022.3214627
  29. H. Li, X. Xu, X. Zhang, S. Yang, and B. Li, “QEBA: query-efficient boundary-based blackbox attack,” CoRR, vol. abs/2005.14137, 2020. [Online]. Available: https://arxiv.org/abs/2005.14137
  30. Q. Fu, Y. Dong, H. Su, J. Zhu, and C. Zhang, “Autoda: Automated decision-based iterative adversarial attacks,” in 31st USENIX Security Symposium, USENIX Security 2022, Boston, MA, USA, August 10-12, 2022, K. R. B. Butler and K. Thomas, Eds.   USENIX Association, 2022, pp. 3557–3574. [Online]. Available: https://www.usenix.org/conference/usenixsecurity22/presentation/fu-qi
  31. P. Guo, F. Liu, X. Lin, Q. Zhao, and Q. Zhang, “L-autoda: Leveraging large language models for automated decision-based adversarial attacks,” CoRR, vol. abs/2401.15335, 2024. [Online]. Available: https://doi.org/10.48550/arXiv.2401.15335
  32. H. Zanddizari, B. Zeinali, and J. M. Chang, “Generating black-box adversarial examples in sparse domain,” IEEE Trans. Emerg. Top. Comput. Intell., vol. 6, no. 4, pp. 795–804, 2022. [Online]. Available: https://doi.org/10.1109/TETCI.2021.3122467
  33. T. Bai, J. Luo, J. Zhao, B. Wen, and Q. Wang, “Recent advances in adversarial training for adversarial robustness,” in Proceedings of the Thirtieth International Joint Conference on Artificial Intelligence, (IJCAI).   ijcai.org, 2021.
  34. C. Guo, M. Rana, M. Cissé, and L. van der Maaten, “Countering adversarial images using input transformations,” in 6th International Conference on Learning Representations, (ICLR).   OpenReview.net, 2018.
  35. P. Guo, Z. Yang, X. Lin, Q. Zhao, and Q. Zhang, “Puridefense: Randomized local implicit adversarial purification for defending black-box query-based attacks,” CoRR, 2024.
  36. N. Carlini, F. Tramèr, K. D. Dvijotham, L. Rice, M. Sun, and J. Z. Kolter, “(certified!!) adversarial robustness for free!” in The Eleventh International Conference on Learning Representations, (ICLR).   OpenReview.net, 2023.
  37. S. Ma, Y. Liu, G. Tao, W. Lee, and X. Zhang, “NIC: detecting adversarial samples with neural network invariant checking,” in 26th Annual Network and Distributed System Security Symposium, (NDSS).   The Internet Society, 2019.
  38. H. Li, S. Shan, E. Wenger, J. Zhang, H. Zheng, and B. Y. Zhao, “Blacklight: Scalable defense for neural networks against query-based black-box attacks,” in 31st USENIX Security Symposium, USENIX Security 2022.   USENIX Association, 2022.
  39. H. Zhang, Y. Yu, J. Jiao, E. P. Xing, L. E. Ghaoui, and M. I. Jordan, “Theoretically principled trade-off between robustness and accuracy,” in Proceedings of the 36th International Conference on Machine Learning, (ICML), ser. Proceedings of Machine Learning Research.   PMLR, 2019.
  40. Z. Wang, T. Pang, C. Du, M. Lin, W. Liu, and S. Yan, “Better diffusion models further improve adversarial training,” in International Conference on Machine Learning, (ICML), ser. Proceedings of Machine Learning Research.   PMLR, 2023.
  41. S. Gowal, C. Qin, J. Uesato, T. A. Mann, and P. Kohli, “Uncovering the limits of adversarial training against norm-bounded adversarial examples,” CoRR, 2020.
  42. A. Krizhevsky, “Learning Multiple Layers of Features from Tiny Images,” Univ. Toronto, Technical Report, 2009.
  43. R. Rade and S.-M. Moosavi-Dezfooli, “Helper-based adversarial training: Reducing excessive margin to achieve a better accuracy vs. robustness trade-off,” in ICML 2021 Workshop on Adversarial Machine Learning, 2021. [Online]. Available: https://openreview.net/forum?id=BuD2LmNaU3a
  44. M. Augustin, A. Meinke, and M. Hein, “Adversarial robustness on in- and out-distribution improves explainability,” in Computer Vision - ECCV 2020 - 16th European Conference, ser. Lecture Notes in Computer Science.   Springer, 2020.
  45. D. Wu, S. Xia, and Y. Wang, “Adversarial weight perturbation helps robust generalization,” in Advances in Neural Information Processing Systems 33: Annual Conference on Neural Information Processing Systems 2020, (NeurIPS), 2020.
  46. S. Addepalli, S. Jain, and V. B. R., “Efficient and effective augmentation strategy for adversarial training,” in Advances in Neural Information Processing Systems 35: Annual Conference on Neural Information Processing Systems 2022, (NeurIPS), 2022.
  47. S. Rebuffi, S. Gowal, D. A. Calian, F. Stimberg, O. Wiles, and T. A. Mann, “Fixing data augmentation to improve adversarial robustness,” CoRR, 2021.
  48. V. Sehwag, S. Mahloujifar, T. Handina, S. Dai, C. Xiang, M. Chiang, and P. Mittal, “Robust learning meets generative models: Can proxy distributions improve adversarial robustness?” in The Tenth International Conference on Learning Representations, (ICLR).   OpenReview.net, 2022.
  49. R. Rade and S. Moosavi-Dezfooli, “Reducing excessive margin to achieve a better accuracy vs. robustness trade-off,” in The Tenth International Conference on Learning Representations, (ICLR).   OpenReview.net, 2022.
  50. H. Huang, Y. Wang, S. M. Erfani, Q. Gu, J. Bailey, and X. Ma, “Exploring architectural ingredients of adversarially robust deep neural networks,” in Advances in Neural Information Processing Systems 34: Annual Conference on Neural Information Processing Systems 2021, (NeurIPS), 2021.
  51. S. Diamond and S. Boyd, “CVXPY: A Python-embedded modeling language for convex optimization,” Journal of Machine Learning Research, vol. 17, no. 83, pp. 1–5, 2016.
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now