More Web Proxy on the site http://driver.im/

research-article

Improving adversarial robustness of deep neural networks via adaptive margin evolution

Authors:

Liang LiangAuthors Info & Claims

Volume 551, Issue C

https://doi.org/10.1016/j.neucom.2023.126524

Published: 28 September 2023 Publication History

Highlights

•

A poof of the existence of an optimal state for adversarial training.

•

Adaptive margin evolution strategy seeking to reach the optimal state of adversarial training.

•

hyperparameter-free is achieved as a by-product of the new strategy.

•

Outperforming seven representative adversarial training methods on three benchmark datasets: CIFAR10, SVHN, and Tiny ImageNet.

Abstract

Adversarial training is the most popular and general strategy to improve Deep Neural Network (DNN) robustness against adversarial noises. Many adversarial training methods have been proposed in the past few years. However, most of these methods are highly susceptible to hyperparameters, especially the training noise upper bound. Tuning these hyperparameters is expensive and difficult for people not in the adversarial robustness research domain, which prevents adversarial training techniques from being used in many application fields. In this study, we propose a new adversarial training method, named Adaptive Margin Evolution (AME). Besides being hyperparameter-free for the user, our AME method places adversarial training samples into the optimal locations in the input space by gradually expanding the exploration range with self-adaptive and gradient-aware step sizes. We evaluate AME and the other seven well-known adversarial training methods on three common benchmark datasets (CIFAR10, SVHN, and Tiny ImageNet) under the most challenging adversarial attack: AutoAttack. The results show that: (1) On the three datasets, AME has the best overall performance; (2) On the Tiny ImageNet dataset, which is much more challenging, AME has the best performance at every noise level. Our work may pave the way for adopting adversarial training techniques in application domains where hyperparameter-free methods are preferred.

References

[1]

J. Wang, C. Wang, Q. Lin, C. Luo, C. Wu, J. Li, Adversarial attacks and defenses in deep learning for image recognition: A survey, Neurocomputing (2022).

[2]

J.-X. Mi, X.-D. Wang, L.-F. Zhou, K. Cheng, Adversarial examples based on object detection tasks: A survey, Neurocomputing (2022).

[3]

S. Qiu, Q. Liu, S. Zhou, W. Huang, Adversarial attack and defense technologies in natural language processing: A survey, Neurocomputing 492 (2022) 278–307.

[4]

C. Szegedy, W. Zaremba, et al., Intriguing properties of neural networks, in: The International Conference on Learning Representations, 2014.

[5]

I. Goodfellow, J. Shlens, et al., Explaining and harnessing adversarial examples, in: The International Conference on Learning Representations, 2015.

[6]

W. Suttapak, J. Zhang, L. Zhang, Diminishing-feature attack: The adversarial infiltration on visual tracking, Neurocomputing 509 (2022) 21–33.

[7]

H. Kwon, S. Lee, Friend-guard adversarial noise designed for electroencephalogram-based brain–computer interface spellers, Neurocomputing 506 (2022) 184–195.

[8]

L. Ma, L. Liang, A regularization method to improve adversarial robustness of neural networks for ecg signal classification, Computers in Biology and Medicine 144 (2022).

[9]

H. Kim, C. Lee, Upcycling adversarial attacks for infrared object detection, Neurocomputing 482 (2022) 1–13.

[10]

K. Eykholt, I. Evtimov, E. Fernandes, B. Li, A. Rahmati, C. Xiao, A. Prakash, T. Kohno, D. Song, Robust physical-world attacks on deep learning visual classification, in: Proceedings of the IEEE conference on computer vision and pattern recognition, 2018, pp. 1625–1634.

[11]

N. Carlini, D. Wagner, Audio adversarial examples: Targeted attacks on speech-to-text, in: 2018 IEEE security and privacy workshops (SPW), IEEE, 2018, pp. 1–7.

[12]

J. Li, S. Ji, T. Du, B. Li, T. Wang, Textbugger: Generating adversarial text against real-world applications, in: 26th Annual Network and Distributed System Security Symposium, 2019.

[13]

X. Liu, J. Zhang, Y. Lin, H. Li, Atmpa: attacking machine learning-based malware visualization detection methods via adversarial examples, in: 2019 IEEE/ACM 27th International Symposium on Quality of Service (IWQoS), IEEE, 2019, pp. 1–10.

[14]

A. Madry, A. Makelov, et al., Towards deep learning models resistant to adversarial attacks, in: The International Conference on Learning Representations, 2018.

[15]

A. Athalye, N. Carlini, D. Wagner, Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples, in: International conference on machine learning, PMLR, 2018, pp. 274–283.

[16]

F. Croce, M. Hein, Reliable evaluation of adversarial robustness with an ensemble of diverse parameter-free attacks, in: The International Conference on Machine Learning, PMLR, 2020, pp. 2206–2216.

[17]

M. Paknezhad, C.P. Ngo, A.A. Winarto, A. Cheong, C.Y. Beh, J. Wu, H.K. Lee, Explaining adversarial vulnerability with a data sparsity hypothesis, Neurocomputing (2022).

[18]

H. Zhang, Y. Yu, et al., Theoretically principled trade-off between robustness and accuracy, in: The International Conference on Machine Learning, 2019.

[19]

F. Crecchi, M. Melis, A. Sotgiu, D. Bacciu, B. Biggio, Fader: Fast adversarial example rejection, Neurocomputing 470 (2022) 257–268.

[20]

S.-L. Yin, X.-L. Zhang, L.-Y. Zuo, Defending against adversarial attacks using spherical sampling-based variational auto-encoder, Neurocomputing 478 (2022) 1–10.

[21]

L. Oneto, S. Ridella, D. Anguita, The benefits of adversarial defense in generalization, Neurocomputing 505 (2022) 125–141.

[22]

J. Lust, A.P. Condurache, Efficient detection of adversarial, out-of-distribution and other misclassified samples, Neurocomputing 470 (2022) 335–343.

[23]

A. Kurakin, I. Goodfellow, et al., Adversarial examples in the physical world, in: Artificial intelligence safety and security, 2018.

[24]

Y. Wang, D. Zou, et al., Improving adversarial robustness requires revisiting misclassified examples, in: The International Conference on Learning Representations, 2019.

[25]

Y. Wang, X. Ma, et al., On the convergence and robustness of adversarial training, in: The International Conference on Machine Learning, 2019.

[26]

C. Sitawarin, S. Chakraborty, et al., Sat: Improving adversarial training via curriculum-based loss smoothing, in: The 14th ACM Workshop on Artificial Intelligence and Security, 2020.

[27]

Q.-Z. Cai, C. Liu, et al., Curriculum adversarial training, in: International Joint Conferences on Artificial Intelligence, 2018.

[28]

Y. Balaji, T. Goldstein, et al., Instance adaptive adversarial training: Improved accuracy tradeoffs in neural nets, preprint arXiv:1910.08051 (2019).

[29]

J. Zhang, X. Xu, et al., Attacks which do not kill training make adversarial learning stronger, in: The International Conference on Machine Learning, 2020.

[30]

G.W. Ding, Y. Sharma, et al., Mma training: Direct input space margin maximization through adversarial training, in: The International Conference on Learning Representations, 2019.

[31]

M. İnci, D. Baytaş, Deb, Robustness-via-synthesis: Robust training with generative adversarial perturbations, Neurocomputing 516 (2023) 49–60.

[32]

Y. Wang, W. Zhang, T. Shen, H. Yu, F.-Y. Wang, Binary thresholding defense against adversarial attacks, Neurocomputing 445 (2021) 61–71.

[33]

J. Cui, S. Liu, L. Wang, J. Jia, Learnable boundary guided adversarial training, in: The IEEE/CVF International Conference on Computer Vision, 2021, pp. 15721–15730.

[34]

J. Zhang, J. Zhu, et al., Geometry-aware instance-reweighted adversarial training, in: The International Conference on Learning Representations, 2020.

[35]

Y. Dong, K. Xu, X. Yang, T. Pang, Z. Deng, H. Su, J. Zhu, Exploring memorization in adversarial training, in: The International Conference on Learning Representations, 2022.

[36]

L. He, Q. Ai, Y. Lei, L. Pan, Y. Ren, Z. Xu, Edge enhancement improves adversarial robustness in image classification, Neurocomputing (2022).

[37]

X. Yu, N. Smedemark-Margulies, S. Aeron, T. Koike-Akino, P. Moulin, M. Brand, K. Parsons, Y. Wang, Improving adversarial robustness by learning shared information, Pattern Recognition 134 (2023),.

Digital Library

[38]

X. Jia, Y. Zhang, B. Wu, K. Ma, J. Wang, X. Cao, Las-at: Adversarial training with learnable attack strategy, in: The IEEE/ CVF Computer Vision and Pattern Recognition Conference, 2022, pp. 13398–13408.

[39]

T. Li, Y. Wu, S. Chen, K. Fang, X. Huang, Subspace adversarial training, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 13409–13418.

[40]

Y. Li, Z. Yang, Y. Wang, C. Xu, Neural architecture dilation for adversarial robustness, M. Ranzato, A. Beygelzimer, Y. Dauphin, P. Liang, J.W. Vaughan (Eds.), Advances in Neural Information Processing Systems, Vol. 34, Curran Associates Inc, 2021, pp. 29578–29589.

[41]

M. Dong, X. Chen, Y. Wang, C. Xu, Random normalization aggregation for adversarial defense, S. Koyejo, S. Mohamed, A. Agarwal, D. Belgrave, K. Cho, A. Oh (Eds.), Advances in Neural Information Processing Systems, Vol. 35, Curran Associates Inc, 2022, pp. 33676–33688.

[42]

C. Cortes, V. Vapnik, Support-vector networks, Machine learning (1995).

[43]

Y. Lu, J. Lu, A universal approximation theorem of deep neural networks for expressing probability distributions, H. Larochelle, M. Ranzato, R. Hadsell, M. Balcan, H. Lin (Eds.), Advances in Neural Information Processing Systems, Vol. 33, Curran Associates Inc, 2020, pp. 3094–3105.

[44]

A. Paszke, et al., Pytorch: An imperative style, high-performance deep learning library, in: Advances in Neural Information Processing Systems, 2019.

[45]

A. Krizhevsky, G. Hinton, Learning multiple layers of features from tiny images, in, University of Toronto, Toronto, Ontario, 2009, Technical report.

[46]

S. Zagoruyko, N. Komodakis, Wide residual networks, arXiv preprint arXiv:1605.07146 (2016).

[47]

Y. Netzer, T. Wang, et al., Reading digits in natural images with unsupervised feature learning, in: The Conference and Workshop on Neural Information Processing Systems Workshop on Deep Learning and Unsupervised Feature Learning, 2011.

[48]

K. He, X. Zhang, et al., Deep residual learning for image recognition, in: The IEEE/ CVF Computer Vision and Pattern Recognition Conference, 2016.

[49]

P. Chrabaszcz, I. Loshchilov, F. Hutter, A downsampled variant of imagenet as an alternative to the cifar datasets, arXiv preprint arXiv:1707.08819 (2017).

[50]

G.W. Ding, L. Wang, et al., Advertorch v0. 1: An adversarial robustness toolbox based on pytorch, preprint arXiv:1902.07623 (2019).

[51]

D.M. Praveena, D.A. Sarah, S.T. George, Deep learning techniques for eeg signal applications – a review, IETE Journal of Research 68 (4) (2022) 3030–3037,.

[52]

S. Hong, Y. Zhou, J. Shang, C. Xiao, J. Sun, Opportunities and challenges of deep learning methods for electrocardiogram data: A systematic review, Computers in Biology and Medicine 122 (2020),.

[53]

X. Han, Y. Hu, L. Foschini, L. Chinitz, L. Jankelson, R. Ranganath, Deep learning models for electrocardiograms are susceptible to adversarial attack, Nature medicine 26 (3) (2020) 360–363.

Recommendations

Increasing-Margin Adversarial (IMA) training to improve adversarial robustness of neural networks
Highlights
- A novel adversarial training method to lift the trade-off between robustness and accuracy.
- COVID19 CT image classification application showing the necessity of the robustness study.
- Working for both image classification and image ...
Abstract
Background and Objective: Deep neural networks (DNNs) are vulnerable to adversarial noises. Adversarial training is a general and effective strategy to improve DNN robustness (i.e., accuracy on noisy data) against adversarial noises. However, DNN ...
ATGAN: Adversarial training-based GAN for improving adversarial robustness generalization on image classification
Abstract
Deep neural networks are vulnerable to adversarial examples, which are well-designed examples aiming to cause models to produce wrong outputs with high confidence. Although adversarial training is by so far the only effective adversarial defense ...
Adversarial Feature Alignment: Balancing Robustness and Accuracy in Deep Learning via Adversarial Training
AISec '24: Proceedings of the 2024 Workshop on Artificial Intelligence and Security

Deep learning models are continually improving in accuracy, but they remain vulnerable to adversarial attacks, often resulting in the misclassification of adversarial examples. Adversarial training can mitigate this problem by enhancing the model's ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Neurocomputing

Neurocomputing Volume 551, Issue C

Sep 2023

384 pages

ISSN:0925-2312

Issue’s Table of Contents

Elsevier B.V.

Publisher

Elsevier Science Publishers B. V.

Netherlands

Publication History

Published: 28 September 2023

Author Tags

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 01 Jan 2025

Other Metrics

View Author Metrics

Citations

View Options

View options

Media

Figures

Other

Tables

View Issue’s Table of Contents