Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Parameter-Saving Adversarial Training: Reinforcing Multi-Perturbation Robustness via Hypernetworks (2309.16207v1)

Published 28 Sep 2023 in cs.CV

Abstract: Adversarial training serves as one of the most popular and effective methods to defend against adversarial perturbations. However, most defense mechanisms only consider a single type of perturbation while various attack methods might be adopted to perform stronger adversarial attacks against the deployed model in real-world scenarios, e.g., $\ell_2$ or $\ell_\infty$. Defending against various attacks can be a challenging problem since multi-perturbation adversarial training and its variants only achieve suboptimal robustness trade-offs, due to the theoretical limit to multi-perturbation robustness for a single model. Besides, it is impractical to deploy large models in some storage-efficient scenarios. To settle down these drawbacks, in this paper we propose a novel multi-perturbation adversarial training framework, parameter-saving adversarial training (PSAT), to reinforce multi-perturbation robustness with an advantageous side effect of saving parameters, which leverages hypernetworks to train specialized models against a single perturbation and aggregate these specialized models to defend against multiple perturbations. Eventually, we extensively evaluate and compare our proposed method with state-of-the-art single/multi-perturbation robust methods against various latest attack methods on different datasets, showing the robustness superiority and parameter efficiency of our proposed method, e.g., for the CIFAR-10 dataset with ResNet-50 as the backbone, PSAT saves approximately 80\% of parameters with achieving the state-of-the-art robustness trade-off accuracy.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (46)
  1. Hyperstyle: stylegan inversion with hypernetworks for real image editing. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.
  2. Unlabeled data improves adversarial robustness. In Advances in Neural Information Processing Systems 32.
  3. Certified adversarial robustness via randomized smoothing. In Proceedings of the 36th International Conference on Machine Learning.
  4. Provable robustness against all adversarial ℓpsubscriptℓ𝑝\ell_{p}roman_ℓ start_POSTSUBSCRIPT italic_p end_POSTSUBSCRIPT-perturbations for p≥1𝑝1p\geq 1italic_p ≥ 1. In Proceedings of the 8th International Conference on Learning Representations.
  5. Hungry hungry hippos: towards language modeling with state space models. arXiv preprint arXiv:2212.14052.
  6. Stochastic activation pruning for robust adversarial defense. In Proceedings of the 6th International Conference on Learning Representations.
  7. Hyperinverter: improving stylegan inversion via hypernetwork. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.
  8. Explaining and harnessing adversarial examples. In Proceedings of the 3rd International Conference on Learning Representations.
  9. Countering adversarial images using input transformations. arXiv preprint arXiv:1711.00117.
  10. Hypernetworks. In Proceedings of the 5th International Conference on Learning Representations.
  11. Ghostnet: more features from cheap operations. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.
  12. Searching for mobilenetv3. In Proceedings of the IEEE/CVF International Conference on Computer Vision.
  13. Mobilenets: efficient convolutional neural networks for mobile vision applications. arXiv preprint arXiv.1704.04861.
  14. Transfer of adversarial robustness between perturbation types. arXiv preprint arXiv:1905.01034.
  15. Krizhevsky, A. 2009. Learning multiple layers of features from tiny images. Technical report, University of Toronto, Canada.
  16. Certified robustness to adversarial examples with differential privacy. In 2019 IEEE Symposium on Security and Privacy (S&P).
  17. Learning defense transformers for counterattacking adversarial examples. arXiv preprint arXiv:2103.07595.
  18. Learning to generate noise for multi-attack robustness. In Proceedings of the 38th International Conference on Machine Learning.
  19. Towards deep learning models resistant to adversarial attacks. In Proceedings of the 6th International Conference on Learning Representations.
  20. Adversarial robustness against the union of multiple perturbation models. In Proceedings of the 37th International Conference on Machine Learning.
  21. Reading digits in natural images with unsupervised feature learning. In Workshop on Deep Learning and Unsupervised Feature Learning, NeurIPS.
  22. Rethinking softmax cross-entropy loss for adversarial robustness. In Proceedings of the 8th International Conference on Learning Representations.
  23. Hypersegnas: bridging one-shot neural architecture search with 3d medical image segmentation using hypernet. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.
  24. Fixing data augmentation to improve adversarial robustness. arXiv preprint arXiv:2103.01946.
  25. Imagenet large scale visual recognition challenge. International Journal of Computer Vision.
  26. Towards the first adversarially robust neural network model on mnist. In Proceedings of the 6th International Conference on Learning Representations.
  27. Shannon, C. E. 1948. A mathematical theory of communication. The Bell System Technical Journal.
  28. Guided adversarial attack for evaluating and enhancing adversarial defenses. In Advances in Neural Information Processing Systems 33.
  29. Confidence-calibrated adversarial training: generalizing to unseen attacks. In Proceedings of the 37th International Conference on Machine Learning.
  30. Is robustness the cost of accuracy? – a comprehensive study on the robustness of 18 deep image classification models. In Proceedings of the European Conference on Computer Vision.
  31. Intriguing properties of neural networks. In Proceedings of the 2nd International Conference on Learning Representations.
  32. Adversarial training and robustness for multiple perturbations. In Advances in Neural Information Processing Systems 32.
  33. On the limit of english conversational speech recognition. arXiv preprint arXiv:2105.00982.
  34. Continual learning with hypernetworks. In Proceedings of the 8th International Conference on Learning Representations.
  35. Augmax: Adversarial composition of random augmentations for robust training. In Advances in Neural Information Processing Systems 34.
  36. Bilateral adversarial training: towards fast training of more robust models against adversarial attacks. In Proceedings of the IEEE/CVF International Conference on Computer Vision.
  37. Simkgc: simple contrastive knowledge graph completion with pre-trained language models. In Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics.
  38. Internimage: exploring large-scale vision foundation models with deformable convolutions. arXiv preprint arXiv:2211.05778.
  39. Improving adversarial robustness requires revisiting misclassified examples. In Proceedings of the 8th International Conference on Learning Representations.
  40. Provable defenses against adversarial examples via the convex outer adversarial polytope. In Proceedings of the 35th International Conference on Machine Learning.
  41. Adversarial weight perturbation helps robust generalization. Advances in Neural Information Processing Systems 33.
  42. Mitigating adversarial effects through randomization. In Proceedings of the 6th International Conference on Learning Representations.
  43. Pfgm++: unlocking the potential of physics-inspired generative models. arXiv preprint arXiv:2302.04265.
  44. Coca: contrastive captioners are image-text foundation models. arXiv preprint arXiv:2205.01917.
  45. Theoretically principled trade-off between robustness and accuracy. In Proceedings of the 36th International Conference on Machine Learning.
  46. Detecting adversarial data by probing multiple perturbations using expected perturbation score. In Proceedings of the 40th International Conference on Machine Learning.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Huihui Gong (3 papers)
  2. Minjing Dong (28 papers)
  3. Siqi Ma (28 papers)
  4. Seyit Camtepe (68 papers)
  5. Surya Nepal (115 papers)
  6. Chang Xu (323 papers)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now