Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
97 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
44 tokens/sec
o3 Pro
5 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Towards Efficient Training and Evaluation of Robust Models against $l_0$ Bounded Adversarial Perturbations (2405.05075v2)

Published 8 May 2024 in cs.LG

Abstract: This work studies sparse adversarial perturbations bounded by $l_0$ norm. We propose a white-box PGD-like attack method named sparse-PGD to effectively and efficiently generate such perturbations. Furthermore, we combine sparse-PGD with a black-box attack to comprehensively and more reliably evaluate the models' robustness against $l_0$ bounded adversarial perturbations. Moreover, the efficiency of sparse-PGD enables us to conduct adversarial training to build robust models against sparse perturbations. Extensive experiments demonstrate that our proposed attack algorithm exhibits strong performance in different scenarios. More importantly, compared with other robust models, our adversarially trained model demonstrates state-of-the-art robustness against various sparse attacks. Codes are available at https://github.com/CityU-MLO/sPGD.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (66)
  1. Intriguing properties of neural networks. Computer Science, 2013.
  2. Adversarial examples in the physical world. 2016.
  3. Explaining and harnessing adversarial examples. Computer Science, 2014.
  4. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
  5. Theoretically principled trade-off between robustness and accuracy. 2019a.
  6. Robustbench: a standardized adversarial robustness benchmark. arXiv preprint arXiv:2010.09670, 2020.
  7. Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia conference on computer and communications security, pages 506–519, 2017.
  8. Threat of adversarial attacks on deep learning in computer vision: A survey. IEEE Access, 6:14410–14430, 2018. URL https://api.semanticscholar.org/CorpusID:3536399.
  9. Adversarial attacks and defenses in images, graphs and text: A review. International Journal of Automation and Computing, 17:151 – 178, 2019. URL https://api.semanticscholar.org/CorpusID:202660800.
  10. Graphite: Generating automatic physical examples for machine-learning attacks on computer vision systems. In 2022 IEEE 7th European symposium on security and privacy (EuroS&P), pages 664–683. IEEE, 2022.
  11. Unified adversarial patch for cross-modal attacks in the physical world. In Proceedings of the IEEE/CVF International Conference on Computer Vision, pages 4445–4454, 2023.
  12. Sparsefool: a few pixels make a big difference. 2018.
  13. Sparse and imperceivable adversarial attacks. In Proceedings of the IEEE/CVF international conference on computer vision, pages 4724–4732, 2019a.
  14. One pixel attack for fooling deep neural networks. IEEE Transactions on Evolutionary Computation, 23(5):828–841, 2019.
  15. Greedyfool: Distortion-aware sparse adversarial attack. 2020.
  16. Sparse-rs: a versatile framework for query-efficient sparse black-box adversarial attacks. In Proceedings of the AAAI Conference on Artificial Intelligence, volume 36, pages 6437–6445, 2022.
  17. Adversarial training and robustness for multiple perturbations. Advances in neural information processing systems, 32, 2019.
  18. Mind the box: l⁢_⁢1𝑙_1l\_1italic_l _ 1-apgd for sparse adversarial attacks on image classifiers. In International Conference on Machine Learning, pages 2201–2211. PMLR, 2021.
  19. Towards stable and efficient adversarial training against l1subscript𝑙1l_{1}italic_l start_POSTSUBSCRIPT 1 end_POSTSUBSCRIPT bounded adversarial attacks. In International Conference on Machine Learning. PMLR, 2023.
  20. Theoretically principled trade-off between robustness and accuracy. ArXiv, abs/1901.08573, 2019b. URL https://api.semanticscholar.org/CorpusID:59222747.
  21. Towards fast computation of certified robustness for relu networks. ArXiv, abs/1804.09699, 2018. URL https://api.semanticscholar.org/CorpusID:13750928.
  22. Adversarial machine learning at scale. In International Conference on Learning Representations, 2017. URL https://openreview.net/forum?id=BJm4T4Kgx.
  23. Practical black-box attacks on deep neural networks using efficient query mechanisms. In European Conference on Computer Vision, 2018. URL https://api.semanticscholar.org/CorpusID:52951839.
  24. Black-box adversarial attacks with limited queries and information. In International Conference on Machine Learning, 2018a. URL https://api.semanticscholar.org/CorpusID:5046541.
  25. Prior convictions: Black-box adversarial attacks with bandits and priors. ArXiv, abs/1807.07978, 2018b. URL https://api.semanticscholar.org/CorpusID:49907212.
  26. Autozoom: Autoencoder-based zeroth order optimization method for attacking black-box neural networks. In AAAI Conference on Artificial Intelligence, 2018. URL https://api.semanticscholar.org/CorpusID:44079102.
  27. Adversarial risk and the dangers of evaluating against weak attacks. ArXiv, abs/1802.05666, 2018. URL https://api.semanticscholar.org/CorpusID:3639844.
  28. Genattack: practical black-box attacks with gradient-free optimization. Proceedings of the Genetic and Evolutionary Computation Conference, 2018. URL https://api.semanticscholar.org/CorpusID:44166696.
  29. Simple black-box adversarial attacks. ArXiv, abs/1905.07121, 2019. URL https://api.semanticscholar.org/CorpusID:86541092.
  30. There are no bit parts for sign bits in black-box attacks. ArXiv, abs/1902.06894, 2019. URL https://api.semanticscholar.org/CorpusID:67749599.
  31. Parsimonious black-box adversarial attacks via efficient combinatorial optimization. ArXiv, abs/1905.06635, 2019. URL https://api.semanticscholar.org/CorpusID:155100229.
  32. Yet another but more efficient black-box adversarial attack: tiling and evolution strategies. ArXiv, abs/1910.02244, 2019. URL https://api.semanticscholar.org/CorpusID:203837562.
  33. Square attack: a query-efficient black-box adversarial attack via random search. ArXiv, abs/1912.00049, 2019. URL https://api.semanticscholar.org/CorpusID:208527215.
  34. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International conference on machine learning, pages 2206–2216. PMLR, 2020.
  35. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pages 39–57. Ieee, 2017.
  36. Saif: Sparse adversarial and interpretable attack framework. arXiv preprint arXiv:2212.07495, 2022.
  37. An algorithm for quadratic programming. Naval research logistics quarterly, 3(1-2):95–110, 1956.
  38. Minimally distorted adversarial examples with a fast adaptive boundary attack. ArXiv, abs/1907.02044, 2019b. URL https://api.semanticscholar.org/CorpusID:195791557.
  39. Robust learning meets generative models: Can proxy distributions improve adversarial robustness? arXiv preprint arXiv:2104.09425, 2021.
  40. Fixing data augmentation to improve adversarial robustness. CoRR, abs/2103.01946, 2021.
  41. Improving robustness using generated data. CoRR, abs/2110.09468, 2021.
  42. Helper-based adversarial training: Reducing excessive margin to achieve a better accuracy vs. robustness trade-off. In ICML 2021 Workshop on Adversarial Machine Learning, 2021. URL https://openreview.net/forum?id=BuD2LmNaU3a.
  43. Decoupled kullback-leibler divergence loss. ArXiv, abs/2305.13948, 2023. URL https://api.semanticscholar.org/CorpusID:258841423.
  44. Better diffusion models further improve adversarial training. ArXiv, abs/2302.04638, 2023. URL https://api.semanticscholar.org/CorpusID:256697167.
  45. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International Conference on Machine Learning, 2018. URL https://api.semanticscholar.org/CorpusID:3310672.
  46. Adversarial training for free! In Neural Information Processing Systems, 2019. URL https://api.semanticscholar.org/CorpusID:139102395.
  47. You only propagate once: Accelerating adversarial training via maximal principle. In Neural Information Processing Systems, 2019c. URL https://api.semanticscholar.org/CorpusID:146120969.
  48. Fast is better than free: Revisiting adversarial training. ArXiv, abs/2001.03994, 2020. URL https://api.semanticscholar.org/CorpusID:210164926.
  49. Towards efficient and effective adversarial training. In Neural Information Processing Systems, 2021. URL https://api.semanticscholar.org/CorpusID:245261076.
  50. Understanding catastrophic overfitting in adversarial training. ArXiv, abs/2105.02942, 2021. URL https://api.semanticscholar.org/CorpusID:234093560.
  51. Understanding catastrophic overfitting in single-step adversarial training. In AAAI Conference on Artificial Intelligence, 2020. URL https://api.semanticscholar.org/CorpusID:222133879.
  52. Understanding and improving fast adversarial training. ArXiv, abs/2007.02617, 2020. URL https://api.semanticscholar.org/CorpusID:220363591.
  53. Zerograd : Mitigating and explaining catastrophic overfitting in fgsm adversarial training. ArXiv, abs/2103.15476, 2021. URL https://api.semanticscholar.org/CorpusID:232404666.
  54. Make some noise: Reliable and efficient single-step adversarial training. ArXiv, abs/2202.01181, 2022. URL https://api.semanticscholar.org/CorpusID:246473010.
  55. The lottery ticket hypothesis: Finding sparse, trainable neural networks. In International Conference on Learning Representations, 2019. URL https://openreview.net/forum?id=rJl-b3RcF7.
  56. What’s hidden in a randomly weighted neural network? In Proceedings of the IEEE/CVF conference on computer vision and pattern recognition, pages 11893–11902, 2020.
  57. Drawing robust scratch tickets: Subnetworks with inborn robustness are found within randomly initialized networks. Advances in Neural Information Processing Systems, 34:13059–13072, 2021.
  58. Robust binary models by pruning randomly-initialized networks. Advances in Neural Information Processing Systems, 35:492–506, 2022.
  59. Learning multiple layers of features from tiny images. 2009.
  60. ImageNet: A Large-Scale Hierarchical Image Database. In CVPR09, 2009.
  61. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks, 32:323–332, 2012.
  62. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016a.
  63. Identity mappings in deep residual networks. In Computer Vision–ECCV 2016: 14th European Conference, Amsterdam, The Netherlands, October 11–14, 2016, Proceedings, Part IV 14, pages 630–645. Springer, 2016b.
  64. Wide residual networks. arXiv preprint arXiv:1605.07146, 2016.
  65. Best convex lower approximations of the l 0 pseudonorm on unit balls. 2021. URL https://api.semanticscholar.org/CorpusID:235254019.
  66. Incorporating second-order functional knowledge for better option pricing. Advances in neural information processing systems, 13, 2000.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (3)
  1. Xuyang Zhong (4 papers)
  2. Yixiao Huang (16 papers)
  3. Chen Liu (206 papers)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets