Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
194 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Robust width: A lightweight and certifiable adversarial defense (2405.15971v1)

Published 24 May 2024 in cs.LG, cs.CR, and cs.CV

Abstract: Deep neural networks are vulnerable to so-called adversarial examples: inputs which are intentionally constructed to cause the model to make incorrect predictions or classifications. Adversarial examples are often visually indistinguishable from natural data samples, making them hard to detect. As such, they pose significant threats to the reliability of deep learning systems. In this work, we study an adversarial defense based on the robust width property (RWP), which was recently introduced for compressed sensing. We show that a specific input purification scheme based on the RWP gives theoretical robustness guarantees for images that are approximately sparse. The defense is easy to implement and can be applied to any existing model without additional training or finetuning. We empirically validate the defense on ImageNet against $L\infty$ perturbations at perturbation budgets ranging from $4/255$ to $32/255$. In the black-box setting, our method significantly outperforms the state-of-the-art, especially for large perturbations. In the white-box setting, depending on the choice of base classifier, we closely match the state of the art in robust ImageNet classification while avoiding the need for additional data, larger models or expensive adversarial training routines. Our code is available at https://github.com/peck94/robust-width-defense.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (85)
  1. Wild patterns: Ten years after the rise of adversarial machine learning. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, pages 2154–2156, 2018.
  2. Imagenet: A large-scale hierarchical image database. In 2009 IEEE conference on computer vision and pattern recognition, pages 248–255. Ieee, 2009.
  3. Deep residual learning for image recognition. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 770–778, 2016.
  4. Robust physical-world attacks on deep learning visual classification. In Proceedings of the IEEE conference on computer vision and pattern recognition, pages 1625–1634, 2018.
  5. Practical black-box attacks against machine learning. In Proceedings of the 2017 ACM on Asia conference on computer and communications security, pages 506–519, 2017.
  6. An introduction to adversarially robust deep learning. IEEE Transactions on Pattern Analysis and Machine Intelligence, 46(4):2071–2090, 2024. doi: 10.1109/TPAMI.2023.3331087.
  7. A survey of robust adversarial training in pattern recognition: Fundamental, theory, and methodologies. Pattern Recognition, 131:108889, 2022.
  8. Towards deep learning models resistant to adversarial attacks. arXiv preprint arXiv:1706.06083, 2017.
  9. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572, 2014.
  10. Certified adversarial robustness via randomized smoothing. In international conference on machine learning, pages 1310–1320. PMLR, 2019.
  11. Randomized smoothing of all shapes and sizes. In International Conference on Machine Learning, pages 10693–10705. PMLR, 2020.
  12. Wasserstein smoothing: Certified robustness against Wasserstein adversarial attacks. In International Conference on Artificial Intelligence and Statistics, pages 3938–3947. PMLR, 2020.
  13. Denoised smoothing: A provable defense for pretrained classifiers. Advances in Neural Information Processing Systems, 33:21945–21957, 2020.
  14. (Certified!!) Adversarial Robustness for Free! In The Eleventh International Conference on Learning Representations, 2023. URL https://openreview.net/forum?id=JLg5aHHv7j.
  15. A survey on deep learning tools dealing with data scarcity: definitions, challenges, solutions, tips, and applications. Journal of Big Data, 10(1):46, 2023.
  16. Adversarial attacks on medical machine learning. Science, 363(6433):1287–1289, 2019.
  17. Universal adversarial attacks on deep neural networks for medical image classification. BMC Med. Imaging, 21(1):1–13, December 2021. ISSN 1471-2342. doi: 10.1186/s12880-020-00530-y.
  18. Understanding adversarial attacks on deep learning based medical image analysis systems. Pattern Recognit., 110:107332, February 2021. ISSN 0031-3203. doi: 10.1016/j.patcog.2020.107332.
  19. Robust width: A characterization of uniformly stable and robust compressed sensing. Excursions in Harmonic Analysis, Volume 6: In Honor of John Benedetto’s 80th Birthday, pages 343–371, 2021.
  20. Stable and robust ℓpsubscriptℓ𝑝\ell_{p}roman_ℓ start_POSTSUBSCRIPT italic_p end_POSTSUBSCRIPT-constrained compressive sensing recovery via robust width property. Journal of the Korean Mathematical Society, 56(3):689–701, 2019.
  21. Square attack: A query-efficient black-box adversarial attack via random search. In Andrea Vedaldi, Horst Bischof, Thomas Brox, and Jan-Michael Frahm, editors, Computer Vision – ECCV 2020, pages 484–501, Cham, 2020. Springer International Publishing. ISBN 978-3-030-58592-1.
  22. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In International conference on machine learning, pages 2206–2216. PMLR, 2020a.
  23. Intriguing properties of neural networks. arXiv preprint arXiv:1312.6199, 2013.
  24. Jong Chul Ye. Compressed sensing MRI: a review from signal processing perspective. BMC Biomedical Engineering, 1(1):8, 2019.
  25. Abdeldjalil Ouahabi. A review of wavelet denoising in medical imaging. In 2013 8th international workshop on systems, signal processing and their applications (WoSSPA), pages 19–26. IEEE, 2013.
  26. A Mathematical Introduction to Compressive Sensing. Applied and Numerical Harmonic Analysis. Springer, 2015.
  27. An iterative thresholding algorithm for linear inverse problems with a sparsity constraint. Communications on Pure and Applied Mathematics: A Journal Issued by the Courant Institute of Mathematical Sciences, 57(11):1413–1457, 2004.
  28. Sparse dnns with improved adversarial robustness. In S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, and R. Garnett, editors, Advances in Neural Information Processing Systems, volume 31. Curran Associates, Inc., 2018. URL https://proceedings.neurips.cc/paper_files/paper/2018/file/4c5bde74a8f110656874902f07378009-Paper.pdf.
  29. Variational dropout sparsifies deep neural networks. In International conference on machine learning, pages 2498–2507. PMLR, 2017.
  30. Sparsity in deep learning: Pruning and growth for efficient inference and training in neural networks. Journal of Machine Learning Research, 22(241):1–124, 2021.
  31. Pruning and quantization for deep neural network acceleration: A survey. Neurocomputing, 461:370–403, 2021.
  32. Enhancing robustness of machine learning systems via data transformations. In 2018 52nd Annual Conference on Information Sciences and Systems (CISS), pages 1–5, 2018. doi: 10.1109/CISS.2018.8362326.
  33. Countering adversarial images using input transformations. arXiv preprint arXiv:1711.00117, 2017.
  34. Keeping the bad guys out: Protecting and vaccinating deep learning with JPEG compression. arXiv preprint arXiv:1705.02900, 2017.
  35. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In International conference on machine learning, pages 274–283. PMLR, 2018.
  36. Evaluating the adversarial robustness of adaptive test-time defenses. In International Conference on Machine Learning, pages 4421–4435. PMLR, 2022.
  37. Sparsity-based defense against adversarial attacks on linear classifiers. In 2018 IEEE International Symposium on Information Theory (ISIT), pages 31–35. IEEE, 2018.
  38. Thwarting adversarial examples: An l_0-robust sparse fourier transform. In S. Bengio, H. Wallach, H. Larochelle, K. Grauman, N. Cesa-Bianchi, and R. Garnett, editors, Advances in Neural Information Processing Systems, volume 31. Curran Associates, Inc., 2018. URL https://proceedings.neurips.cc/paper_files/paper/2018/file/aef546f29283b6ccef3c61f58fb8e79b-Paper.pdf.
  39. Recovery guarantees for compressible signals with adversarial noise. arXiv preprint arXiv:1907.06565, 2019.
  40. Adversarial robustness of supervised sparse coding. In H. Larochelle, M. Ranzato, R. Hadsell, M.F. Balcan, and H. Lin, editors, Advances in Neural Information Processing Systems, volume 33, pages 2110–2121. Curran Associates, Inc., 2020. URL https://proceedings.neurips.cc/paper_files/paper/2020/file/170f6aa36530c364b77ddf83a84e7351-Paper.pdf.
  41. On adaptive attacks to adversarial example defenses. Advances in neural information processing systems, 33:1633–1645, 2020.
  42. Defense against adversarial examples based on wavelet domain analysis. Applied Intelligence, 53(1):423–439, April 2022. ISSN 1573-7497. doi: 10.1007/s10489-022-03159-2. URL http://dx.doi.org/10.1007/s10489-022-03159-2.
  43. Adversarial defense with local robust principal component analysis and wavelet denoising. In 2023 3rd International Conference on Range Technology (ICORT), pages 1–6, 2023. doi: 10.1109/ICORT56052.2023.10249152.
  44. Adversarial Defense by Suppressing High-frequency Components. arXiv, August 2019. doi: 10.48550/arXiv.1908.06566.
  45. A Frequency Perspective of Adversarial Robustness. arXiv, October 2021. doi: 10.48550/arXiv.2111.00861.
  46. Simple Black-box Adversarial Attacks. arXiv, May 2019. doi: 10.48550/arXiv.1905.07121.
  47. Data dependent randomized smoothing. In Uncertainty in Artificial Intelligence, pages 64–74. PMLR, 2022.
  48. Certified robustness via locally biased randomized smoothing. In Learning for Dynamics and Control Conference, pages 207–220. PMLR, 2022.
  49. RANCER: Non-axis aligned anisotropic certification with randomized smoothing. In Proceedings of the IEEE/CVF Winter Conference on Applications of Computer Vision, pages 4672–4680, 2023.
  50. Plug-and-play admm for image restoration: Fixed-point convergence and applications. IEEE Transactions on Computational Imaging, 3(1):84–98, 2016.
  51. Low-rank matrix recovery via rank one tight frame measurements. Journal of Fourier Analysis and Applications, 25:588–593, 2019.
  52. Deterministic matrices matching the compressed sensing phase transitions of Gaussian random matrices. Proceedings of the National Academy of Sciences, 110(4):1181–1186, 2013.
  53. Deterministic construction of Fourier-based compressed sensing matrices using an almost difference set. EURASIP Journal on Advances in Signal Processing, 2013(1):1–14, 2013.
  54. The restricted isometry property of subsampled Fourier matrices. In Geometric Aspects of Functional Analysis: Israel Seminar (GAFA) 2014–2016, pages 163–179. Springer, 2017.
  55. Do not zero-pute: an efficient homespun mpeg-audio layer ii decoding and optimization strategy. In Proceedings of the 12th Annual ACM International Conference on Multimedia, MULTIMEDIA ’04, page 376–379, New York, NY, USA, 2004. Association for Computing Machinery. ISBN 1581138938. doi: 10.1145/1027527.1027615. URL https://doi.org/10.1145/1027527.1027615.
  56. Intriguing properties of input-dependent randomized smoothing. arXiv preprint arXiv:2110.05365, 2021.
  57. The fourth international verification of neural networks competition (VNN-COMP 2023): Summary and results. arXiv preprint arXiv:2312.16760, 2023.
  58. Beta-CROWN: Efficient bound propagation with per-neuron split constraints for complete and incomplete neural network verification. Advances in Neural Information Processing Systems, 34, 2021.
  59. Minimally distorted adversarial examples with a fast adaptive boundary attack. In International Conference on Machine Learning, pages 2196–2205. PMLR, 2020b.
  60. Towards evaluating the robustness of neural networks. In 2017 ieee symposium on security and privacy (sp), pages 39–57. IEEE, 2017.
  61. The split Bregman method for L1-regularized problems. SIAM journal on imaging sciences, 2(2):323–343, 2009.
  62. The elements of statistical learning: data mining, inference, and prediction, volume 2. Springer, 2009.
  63. Amara Graps. An introduction to wavelets. IEEE computational science and engineering, 2(2):50–61, 1995.
  64. Sparse multidimensional representations using anisotropic dilation and shear operators. Wavelets and splines, 14:189–201, 2006.
  65. PyTorch: An Imperative Style, High-Performance Deep Learning Library. In Advances in Neural Information Processing Systems 32, pages 8024–8035. Curran Associates, Inc., 2019. URL http://papers.neurips.cc/paper/9015-pytorch-an-imperative-style-high-performance-deep-learning-library.pdf.
  66. Wide residual networks. arXiv preprint arXiv:1605.07146, 2016.
  67. An image is worth 16x16 words: Transformers for image recognition at scale. arXiv preprint arXiv:2010.11929, 2020.
  68. Swin Transformer: Hierarchical vision transformer using shifted windows. In Proceedings of the IEEE/CVF international conference on computer vision, pages 10012–10022, 2021.
  69. Fergal Cotter. Pytorch wavelets, 2018. URL https://github.com/fbcotter/pytorch_wavelets.
  70. Stefan Loock. pyShearLab, 2017. URL https://github.com/stefanloock/pyshearlab.
  71. Adversarial robustness toolbox v1.2.0. CoRR, 1807.01069, 2018. URL https://arxiv.org/pdf/1807.01069.
  72. RobustBench: a standardized adversarial robustness benchmark. arXiv preprint arXiv:2010.09670, 2020.
  73. A comprehensive study on robustness of image classification models: Benchmarking and rethinking. arXiv preprint arXiv:2302.14301, 2023.
  74. A light recipe to train robust vision transformers. In 2023 IEEE Conference on Secure and Trustworthy Machine Learning (SaTML), pages 225–253. IEEE, 2023.
  75. Robust principles: Architectural design principles for adversarially robust CNNs. arXiv preprint arXiv:2308.16258, 2023.
  76. Fast is better than free: Revisiting adversarial training. arXiv preprint arXiv:2001.03994, 2020.
  77. Diffusion models for adversarial purification. arXiv preprint arXiv:2205.07460, 2022.
  78. Optuna: A next-generation hyperparameter optimization framework. In Proceedings of the 25th ACM SIGKDD international conference on knowledge discovery & data mining, pages 2623–2631, 2019.
  79. On evaluating adversarial robustness. arXiv preprint arXiv:1902.06705, 2019.
  80. Intriguing properties of vision transformers. Advances in Neural Information Processing Systems, 34:23296–23308, 2021.
  81. Compressed sensing using generative models. In International conference on machine learning, pages 537–546. PMLR, 2017.
  82. Learned reconstruction methods with convergence guarantees: A survey of concepts and applications. IEEE Signal Processing Magazine, 40(1):164–182, 2023. doi: 10.1109/MSP.2022.3207451.
  83. Denoising diffusion restoration models. Advances in Neural Information Processing Systems, 35:23593–23606, 2022.
  84. David L Donoho et al. High-dimensional data analysis: The curses and blessings of dimensionality. AMS math challenges lecture, 1(2000):32, 2000.
  85. Testing the manifold hypothesis. Journal of the American Mathematical Society, 29(4):983–1049, 2016.
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets