• Corpus ID: 59599809

# Theoretical evidence for adversarial robustness through randomization: the case of the Exponential family

@article{Pinot2019TheoreticalEF,
title={Theoretical evidence for adversarial robustness through randomization: the case of the Exponential family},
author={Rafael Pinot and Laurent Meunier and Alexandre Araujo and Hisashi Kashima and Florian Yger and C{\'e}dric Gouy-Pailler and Jamal Atif},
journal={ArXiv},
year={2019},
volume={abs/1902.01148}
}
• Published 4 February 2019
• Computer Science, Mathematics
• ArXiv
This paper investigates the theory of robustness against adversarial attacks. It focuses on the family of randomization techniques that consist in injecting noise in the network at inference time. These techniques have proven effective in many contexts, but lack theoretical arguments. We close this gap by presenting a theoretical analysis of these approaches, hence explaining why they perform well in practice. More precisely, we provide the first result relating the randomization rate to…
13 Citations

## Figures and Tables from this paper

A unified view on differential privacy and robustness to adversarial examples
• Computer Science
ArXiv
• 2019
This short note highlights some links between two lines of research within the emerging topic of trustworthy machine learning: differential privacy and robustness to adversarial examples by abstracting the definitions of both notions and observing that Renyi-differential privacy and the definition of robustness share several similarities.
Certified Robustness to Adversarial Examples with Differential Privacy
• Computer Science
2019 IEEE Symposium on Security and Privacy (SP)
• 2019
This paper presents the first certified defense that both scales to large networks and datasets and applies broadly to arbitrary model types, based on a novel connection between robustness against adversarial examples and differential privacy, a cryptographically-inspired privacy formalism.
Robust Neural Networks using Randomized Adversarial Training
• Computer Science
ArXiv
• 2019
Randomized Adversarial Training (RAT), a technique that is efficient both against 2 and ∞ attacks, is introduced, and it is shown that RAT is as efficient as adversarial training against∞ attacks while being robust against strong 2 attacks.
• Computer Science, Mathematics
NDSS
• 2020
This work shows that a strategic attacker can leverage the additional noise to mislead the classifier beyond what the attacker could do otherwise; it proposes countermeasures against such attacks.
Robustifying $\ell_\infty$ Adversarial Training to the Union of Perturbation Models
• Computer Science
• 2021
This work expands the capabilities of widely popular single-attack ∞ AT frameworks to provide robustness to the union of (∞, 2, 1) perturbations while preserving their training efficiency, and establishes a benchmark for Res net-50 and ResNet-101 on ImageNet.
• Computer Science, Mathematics
ICASSP
• 2022
A new defense mechanism against adversarial attacks inspired by an optical coprocessor is proposed, providing robustness without compromising natural accuracy in both white-box and blackbox settings, and the combination of a random projection and binarization in the optical system improves robustness against various types of black-box attacks.
• Computer Science
ArXiv
• 2020
The results show that having a small Lipschitz constant correlates with achieving high clean and robust accuracy, and therefore, the smoothness of the classifier is an important property to consider in the context of adversarial examples.
Learn2Perturb: An End-to-End Feature Perturbation Learning to Improve Adversarial Robustness
• Computer Science
2020 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
• 2020
The proposed Learn2Perturb method can result in deep neural networks which are 4-7% more robust on l_inf FGSM and PDG adversarial attacks and significantly outperforms the state-of-the-art against l_2 C\&W attack and a wide range of well-known black-box attacks.
Yet another but more efficient black-box adversarial attack: tiling and evolution strategies
• Computer Science
ArXiv
• 2019
A new black-box attack achieving state of the art performances based on a new objective function, borrowing ideas from $\ell_\infty$-white box attacks, and particularly designed to fit derivative-free optimization requirements.
ROPUST: Improving Robustness through Fine-tuning with Photonic Processors and Synthetic Gradients
• Computer Science
ArXiv
• 2021
This work introduces ROPUST, a remarkably simple and efficient method to leverage robust pre-trained models and further increase their robustness, at no cost in natural accuracy, and introduces phase retrieval attacks, specifically designed to increase the threat level of attackers against the authors' own defense.

## References

SHOWING 1-10 OF 37 REFERENCES
Certified Robustness to Adversarial Examples with Differential Privacy
• Computer Science
2019 IEEE Symposium on Security and Privacy (SP)
• 2019
This paper presents the first certified defense that both scales to large networks and datasets and applies broadly to arbitrary model types, based on a novel connection between robustness against adversarial examples and differential privacy, a cryptographically-inspired privacy formalism.
• Computer Science
ICLR
• 2018
This paper proposes to utilize randomization at inference time to mitigate adversarial effects, and uses two randomization operations: random resizing, which resizes the input images to a random size, and random padding, which pads zeros around the input image in a random manner.
Adversarial Risk and Robustness: General Definitions and Implications for the Uniform Distribution
• Computer Science, Mathematics
NeurIPS
• 2018
This study advocates the use of the error-region definition of adversarial perturbations, and studies inherent bounds on risk and robustness of any classifier for any classification problem whose instances are uniformly distributed over \$\{0,1\}^n".
Robustness of classifiers: from adversarial to random noise
• Computer Science
NIPS
• 2016
This paper proposes the first quantitative analysis of the robustness of nonlinear classifiers in this general noise regime, and establishes precise theoretical bounds on the robustity of classifier's decision boundary, which depend on the curvature of the classifiers' decision boundary.
Stochastic Activation Pruning for Robust Adversarial Defense
• Computer Science
ICLR
• 2018
Stochastic Activation Pruning (SAP) is proposed, a mixed strategy for adversarial defense that prunes a random subset of activations (preferentially pruning those with smaller magnitude) and scales up the survivors to compensate.
Distillation as a Defense to Adversarial Perturbations Against Deep Neural Networks
• Computer Science
2016 IEEE Symposium on Security and Privacy (SP)
• 2016
The study shows that defensive distillation can reduce effectiveness of sample creation from 95% to less than 0.5% on a studied DNN, and analytically investigates the generalizability and robustness properties granted by the use of defensive Distillation when training DNNs.
Parametric Noise Injection: Trainable Randomness to Improve Deep Neural Network Robustness Against Adversarial Attack
• Computer Science
2019 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
• 2019
Parametric-Noise-Injection (PNI) is proposed which involves trainable Gaussian noise injection at each layer on either activation or weights through solving the Min-Max optimization problem, embedded with adversarial training, and effectively improves DNN's robustness against adversarial attack.
Adversarial Vulnerability of Neural Networks Increases With Input Dimension
• Computer Science
ArXiv
• 2018
This work shows that adversarial vulnerability increases with the gradients of the training objective when seen as a function of the inputs, and rediscover and generalize double-backpropagation, a technique that penalizes large gradients in the loss surface to reduce adversarialulnerability and increase generalization performance.