• Corpus ID: 59599809

Theoretical evidence for adversarial robustness through randomization: the case of the Exponential family

@article{Pinot2019TheoreticalEF,
  title={Theoretical evidence for adversarial robustness through randomization: the case of the Exponential family},
  author={Rafael Pinot and Laurent Meunier and Alexandre Araujo and Hisashi Kashima and Florian Yger and C{\'e}dric Gouy-Pailler and Jamal Atif},
  journal={ArXiv},
  year={2019},
  volume={abs/1902.01148}
}
This paper investigates the theory of robustness against adversarial attacks. It focuses on the family of randomization techniques that consist in injecting noise in the network at inference time. These techniques have proven effective in many contexts, but lack theoretical arguments. We close this gap by presenting a theoretical analysis of these approaches, hence explaining why they perform well in practice. More precisely, we provide the first result relating the randomization rate to… 

Figures and Tables from this paper

A unified view on differential privacy and robustness to adversarial examples
TLDR
This short note highlights some links between two lines of research within the emerging topic of trustworthy machine learning: differential privacy and robustness to adversarial examples by abstracting the definitions of both notions and observing that Renyi-differential privacy and the definition of robustness share several similarities.
Certified Robustness to Adversarial Examples with Differential Privacy
TLDR
This paper presents the first certified defense that both scales to large networks and datasets and applies broadly to arbitrary model types, based on a novel connection between robustness against adversarial examples and differential privacy, a cryptographically-inspired privacy formalism.
Robust Neural Networks using Randomized Adversarial Training
TLDR
Randomized Adversarial Training (RAT), a technique that is efficient both against 2 and ∞ attacks, is introduced, and it is shown that RAT is as efficient as adversarial training against∞ attacks while being robust against strong 2 attacks.
Adversarial Classification Under Differential Privacy
TLDR
This work shows that a strategic attacker can leverage the additional noise to mislead the classifier beyond what the attacker could do otherwise; it proposes countermeasures against such attacks.
Robustifying $\ell_\infty$ Adversarial Training to the Union of Perturbation Models
TLDR
This work expands the capabilities of widely popular single-attack `∞ AT frameworks to provide robustness to the union of (`∞, `2, `1) perturbations while preserving their training efficiency, and establishes a benchmark for Res net-50 and ResNet-101 on ImageNet.
Adversarial Robustness by Design through Analog Computing and Synthetic Gradients
TLDR
A new defense mechanism against adversarial attacks inspired by an optical coprocessor is proposed, providing robustness without compromising natural accuracy in both white-box and blackbox settings, and the combination of a random projection and binarization in the optical system improves robustness against various types of black-box attacks.
Adversarial Robustness Through Local Lipschitzness
TLDR
The results show that having a small Lipschitz constant correlates with achieving high clean and robust accuracy, and therefore, the smoothness of the classifier is an important property to consider in the context of adversarial examples.
Learn2Perturb: An End-to-End Feature Perturbation Learning to Improve Adversarial Robustness
TLDR
The proposed Learn2Perturb method can result in deep neural networks which are 4-7% more robust on l_inf FGSM and PDG adversarial attacks and significantly outperforms the state-of-the-art against l_2 C\&W attack and a wide range of well-known black-box attacks.
Yet another but more efficient black-box adversarial attack: tiling and evolution strategies
TLDR
A new black-box attack achieving state of the art performances based on a new objective function, borrowing ideas from $\ell_\infty$-white box attacks, and particularly designed to fit derivative-free optimization requirements.
ROPUST: Improving Robustness through Fine-tuning with Photonic Processors and Synthetic Gradients
TLDR
This work introduces ROPUST, a remarkably simple and efficient method to leverage robust pre-trained models and further increase their robustness, at no cost in natural accuracy, and introduces phase retrieval attacks, specifically designed to increase the threat level of attackers against the authors' own defense.
...
...

References

SHOWING 1-10 OF 37 REFERENCES
Certified Robustness to Adversarial Examples with Differential Privacy
TLDR
This paper presents the first certified defense that both scales to large networks and datasets and applies broadly to arbitrary model types, based on a novel connection between robustness against adversarial examples and differential privacy, a cryptographically-inspired privacy formalism.
Mitigating adversarial effects through randomization
TLDR
This paper proposes to utilize randomization at inference time to mitigate adversarial effects, and uses two randomization operations: random resizing, which resizes the input images to a random size, and random padding, which pads zeros around the input image in a random manner.
Adversarial Risk and Robustness: General Definitions and Implications for the Uniform Distribution
TLDR
This study advocates the use of the error-region definition of adversarial perturbations, and studies inherent bounds on risk and robustness of any classifier for any classification problem whose instances are uniformly distributed over $\{0,1\}^n".
Robustness of classifiers: from adversarial to random noise
TLDR
This paper proposes the first quantitative analysis of the robustness of nonlinear classifiers in this general noise regime, and establishes precise theoretical bounds on the robustity of classifier's decision boundary, which depend on the curvature of the classifiers' decision boundary.
Stochastic Activation Pruning for Robust Adversarial Defense
TLDR
Stochastic Activation Pruning (SAP) is proposed, a mixed strategy for adversarial defense that prunes a random subset of activations (preferentially pruning those with smaller magnitude) and scales up the survivors to compensate.
Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks
TLDR
The study shows that defensive distillation can reduce effectiveness of sample creation from 95% to less than 0.5% on a studied DNN, and analytically investigates the generalizability and robustness properties granted by the use of defensive Distillation when training DNNs.
Parametric Noise Injection: Trainable Randomness to Improve Deep Neural Network Robustness Against Adversarial Attack
TLDR
Parametric-Noise-Injection (PNI) is proposed which involves trainable Gaussian noise injection at each layer on either activation or weights through solving the Min-Max optimization problem, embedded with adversarial training, and effectively improves DNN's robustness against adversarial attack.
Adversarial Vulnerability of Neural Networks Increases With Input Dimension
TLDR
This work shows that adversarial vulnerability increases with the gradients of the training objective when seen as a function of the inputs, and rediscover and generalize double-backpropagation, a technique that penalizes large gradients in the loss surface to reduce adversarialulnerability and increase generalization performance.
Universal Adversarial Perturbations
TLDR
The surprising existence of universal perturbations reveals important geometric correlations among the high-dimensional decision boundary of classifiers and outlines potential security breaches with the existence of single directions in the input space that adversaries can possibly exploit to break a classifier on most natural images.
Adversarial examples from computational constraints
TLDR
This work proves that, for a broad set of classification tasks, the mere existence of a robust classifier implies that it can be found by a possibly exponential-time algorithm with relatively few training examples and gives an exponential separation between classical learning and robust learning in the statistical query model.
...
...