Papers
Topics
Authors
Recent
Search
2000 character limit reached

Language-Driven Anchors for Zero-Shot Adversarial Robustness

Published 30 Jan 2023 in cs.CV, cs.AI, and cs.LG | (2301.13096v3)

Abstract: Deep Neural Networks (DNNs) are known to be susceptible to adversarial attacks. Previous researches mainly focus on improving adversarial robustness in the fully supervised setting, leaving the challenging domain of zero-shot adversarial robustness an open question. In this work, we investigate this domain by leveraging the recent advances in large vision-LLMs, such as CLIP, to introduce zero-shot adversarial robustness to DNNs. We propose LAAT, a Language-driven, Anchor-based Adversarial Training strategy. LAAT utilizes the features of a text encoder for each category as fixed anchors (normalized feature embeddings) for each category, which are then employed for adversarial training. By leveraging the semantic consistency of the text encoders, LAAT aims to enhance the adversarial robustness of the image model on novel categories. However, naively using text encoders leads to poor results. Through analysis, we identified the issue to be the high cosine similarity between text encoders. We then design an expansion algorithm and an alignment cross-entropy loss to alleviate the problem. Our experimental results demonstrated that LAAT significantly improves zero-shot adversarial robustness over state-of-the-art methods. LAAT has the potential to enhance adversarial robustness by large-scale multimodal models, especially when labeled data is unavailable during training.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (57)
  1. General n-dimensional rotations. In WSCG, pages 1–8, 2004.
  2. Square attack: A query-efficient black-box adversarial attack via random search. In Eur. Conf. Comput. Vis. (ECCV), pages 484–501, 2020.
  3. Anish Athalye et al. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In Int. Conf. Mach. Learn. (ICML), pages 274–283, 2018.
  4. Pre-trained adversarial perturbations. Adv. Neural Inform. Process. Syst. (NeurIPS), 2022.
  5. Meta-learning with differentiable closed-form solvers. In Int. Conf. Learn. Represent. (ICLR), 2019.
  6. LE Blumenson. A derivation of n-dimensional spherical coordinates. The American Mathematical Monthly, 67(1):63–66, 1960.
  7. Towards evaluating the robustness of neural networks. In IEEE Symposium on Security and Privacy, SP, pages 39–57, 2017.
  8. An empirical study and analysis of generalized zero-shot learning for object recognition in the wild. In Eur. Conf. Comput. Vis. (ECCV), pages 52–68, 2016.
  9. Describing textures in the wild. In IEEE Conf. Comput. Vis. Pattern Recog. (CVPR), pages 3606–3613, 2014.
  10. An analysis of single-layer networks in unsupervised feature learning. In AISTATS, pages 215–223, 2011.
  11. Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks. In Int. Conf. Mach. Learn. (ICML), pages 2206–2216, 2020.
  12. Edoardo Debenedetti et al. A light recipe to train robust vision transformers. arXiv preprint arXiv:2209.07399, 2022.
  13. Improving adversarially robust few-shot image classification with generalizable representations. In IEEE Conf. Comput. Vis. Pattern Recog. (CVPR), pages 9015–9024. IEEE, 2022.
  14. An image is worth 16x16 words: Transformers for image recognition at scale. In Int. Conf. Learn. Represent. (ICLR), 2021.
  15. Rethinking the number of shots in robust model-agnostic meta-learning. arXiv preprint arXiv:2211.15180, 2022.
  16. Robust physical-world attacks on deep learning visual classification. In IEEE Conf. Comput. Vis. Pattern Recog. (CVPR), pages 1625–1634, 2018.
  17. Describing objects by their attributes. In IEEE Conf. Comput. Vis. Pattern Recog. (CVPR), pages 1778–1785, 2009.
  18. Learning generative visual models from few training examples: An incremental bayesian approach tested on 101 object categories. In CVPRW, pages 178–178, 2004.
  19. Micah Goldblum et al. Adversarially robust few-shot learning: A meta-learning approach. In Adv. Neural Inform. Process. Syst. (NeurIPS), 2020.
  20. Ian J. Goodfellow et al. Explaining and harnessing adversarial examples. In Int. Conf. Learn. Represent. (ICLR), 2015.
  21. Caltech-256 object category dataset. 2007.
  22. Zero-shot detection via vision and language knowledge distillation. In Int. Conf. Learn. Represent. (ICLR), 2021.
  23. Deep residual learning for image recognition. In IEEE Conf. Comput. Vis. Pattern Recog. (CVPR), pages 770–778, 2016.
  24. Scaling up visual and vision-language representation learning with noisy text supervision. In Int. Conf. Mach. Learn. (ICML), pages 4904–4916, 2021.
  25. Learning multiple layers of features from tiny images. California Institute of Technology, 2009.
  26. Semantically consistent visual representation for adversarial robustness. IEEE Transactions on Information Forensics and Security, 2023.
  27. Attribute-based classification for zero-shot visual object categorization. IEEE Trans. Pattern Anal. Mach. Intell. (TPAMI), 36(3):453–465, 2014.
  28. Language-driven semantic segmentation. In Int. Conf. Learn. Represent. (ICLR), 2022.
  29. On the importance of backbone to the adversarial robustness of object detectors. arXiv preprint arXiv:2305.17438, 2023a.
  30. Recognizing object by components with human prior knowledge enhances adversarial robustness of deep neural networks. IEEE Trans. Pattern Anal. Mach. Intell. (TPAMI), 2023b.
  31. Microsoft COCO: common objects in context. In Eur. Conf. Comput. Vis. (ECCV), pages 740–755, 2014.
  32. Towards deep learning models resistant to adversarial attacks. In Int. Conf. Learn. Represent. (ICLR), 2018.
  33. Metric learning for adversarial robustness. Adv. Neural Inform. Process. Syst. (NeurIPS), 32, 2019.
  34. Understanding zero-shot adversarial robustness for large-scale models. Int. Conf. Learn. Represent. (ICLR), 2023.
  35. Representation learning with contrastive predictive coding. arXiv preprint arXiv:1807.03748, 2018.
  36. Rethinking softmax cross-entropy loss for adversarial robustness. In Int. Conf. Learn. Represent. (ICLR), 2020a.
  37. Boosting adversarial training with hypersphere embedding. In Adv. Neural Inform. Process. Syst. (NeurIPS), 2020b.
  38. Cats and dogs. In IEEE Conf. Comput. Vis. Pattern Recog. (CVPR), pages 3498–3505, 2012.
  39. Learning transferable visual models from natural language supervision. In Int. Conf. Mach. Learn. (ICML), pages 8748–8763, 2021.
  40. Imagenet large scale visual recognition challenge. Int. J. Comput. Vis. (IJCV), 115(3):211–252, 2015.
  41. Prototypical networks for few-shot learning. In Adv. Neural Inform. Process. Syst. (NeurIPS), pages 4077–4087, 2017.
  42. Intriguing properties of neural networks. In Int. Conf. Learn. Represent. (ICLR), 2014.
  43. Matching networks for one shot learning. In Adv. Neural Inform. Process. Syst. (NeurIPS), pages 3630–3638, 2016a.
  44. Matching networks for one shot learning. In Adv. Neural Inform. Process. Syst. (NeurIPS), pages 3630–3638, 2016b.
  45. Mengmeng Wang et al. Actionclip: A new paradigm for video action recognition. arXiv preprint arXiv:2109.08472, 2021a.
  46. On fast adversarial robustness adaptation in model-agnostic meta-learning. In Int. Conf. Learn. Represent. (ICLR), 2021b.
  47. Latent embeddings for zero-shot classification. In IEEE Conf. Comput. Vis. Pattern Recog. (CVPR), pages 69–77, 2016.
  48. Zero-shot learning - A comprehensive evaluation of the good, the bad and the ugly. IEEE Trans. Pattern Anal. Mach. Intell. (TPAMI), 41(9):2251–2265, 2019.
  49. Sun database: Large-scale scene recognition from abbey to zoo. In IEEE Conf. Comput. Vis. Pattern Recog. (CVPR), pages 3485–3492, 2010.
  50. Stacked semantics-guided attention model for fine-grained zero-shot learning. In Adv. Neural Inform. Process. Syst. (NeurIPS), pages 5998–6007, 2018.
  51. Mehmet Kerim Yucel et al. How robust are discriminatively trained zero-shot learning models? Image Vis. Comput., 119:104392, 2022.
  52. Theoretically principled trade-off between robustness and accuracy. In Int. Conf. Mach. Learn. (ICML), pages 7472–7482, 2019a.
  53. Towards adversarial attack on vision-language pre-training models. In ACM Int. Conf. Multimedia, pages 5005–5013, 2022.
  54. IEPT: instance-level and episode-level pretext tasks for few-shot learning. In Int. Conf. Learn. Represent. (ICLR), 2021.
  55. ATZSL: defensive zero-shot recognition in the presence of adversaries. arXiv preprint arXiv:1910.10994, 2019b.
  56. Enhancing adversarial robustness for deep metric learning. In IEEE Conf. Comput. Vis. Pattern Recog. (CVPR), pages 15325–15334, 2022.
  57. Fooling thermal infrared pedestrian detectors in real world using small bulbs. In AAAI, pages 3616–3624, 2021.
Citations (7)

Summary

No one has generated a summary of this paper yet.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Continue Learning

We haven't generated follow-up questions for this paper yet.

Collections

Sign up for free to add this paper to one or more collections.