Abstract
Deep neural networks (DNNs) are widely used for computer vision tasks. However, it has been shown that deep models are vulnerable to adversarial attacks—that is, their performances drop when imperceptible perturbations are made to the original inputs, which may further degrade the following visual tasks or introduce new problems such as data and privacy security. Hence, metrics for evaluating the robustness of deep models against adversarial attacks are desired. However, previous metrics are mainly proposed for evaluating the adversarial robustness of shallow networks on the small-scale datasets. Although the Cross Lipschitz Extreme Value for nEtwork Robustness (CLEVER) metric has been proposed for large-scale datasets (e.g., the ImageNet dataset), it is computationally expensive and its performance relies on a tractable number of samples. In this article, we propose the Adversarial Converging Time Score (ACTS), an attack-dependent metric that quantifies the adversarial robustness of a DNN on a specific input. Our key observation is that local neighborhoods on a DNN’s output surface would have different shapes given different inputs. Hence, given different inputs, it requires different time for converging to an adversarial sample. Based on this geometry meaning, the ACTS measures the converging time as an adversarial robustness metric. We validate the effectiveness and generalization of the proposed ACTS metric against different adversarial attacks on the large-scale ImageNet dataset using state-of-the-art deep networks. Extensive experiments show that our ACTS metric is an efficient and effective adversarial metric over the previous CLEVER metric.
- [1] . 2018. Threat of adversarial attacks on deep learning in computer vision: A survey. IEEE Access 6 (2018), 14410–14430.Google Scholar
Cross Ref
- [2] . 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In Proceedings of the International Conference on Machine Learning.Google Scholar
- [3] . 2018. Synthesizing robust adversarial examples. In Proceedings of the International Conference on Machine Learning.Google Scholar
- [4] . 2016. Measuring neural net robustness with constraints. In Advances in Neural Information Processing Systems.Google Scholar
- [5] . 2017. Dimensionality reduction as a defense against evasion attacks on machine learning classifiers. arXiv:1704.02654 (2017).Google Scholar
- [6] . 2018. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In Proceedings of the International Conference on Learning Representations.Google Scholar
- [7] . 2017. Towards evaluating the robustness of neural networks. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
Cross Ref
- [8] . 2017. EAD: Elastic-net attacks to deep neural networks via adversarial examples. In Proceedings of the AAAI Conference on Artificial Intelligence.Google Scholar
- [9] . 2017. ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security.Google Scholar
Digital Library
- [10] . 2018. Query-efficient hard-label black-box attack: An optimization-based approach. In Proceedings of the International Conference on Learning Representations.Google Scholar
- [11] . 2009. ImageNet: A large-scale hierarchical image database. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [12] . 2022. Biologically inspired dynamic thresholds for spiking neural networks. In Advances in Neural Information Processing Systems.Google Scholar
- [13] . 2020. Benchmarking adversarial robustness on image classification. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [14] . 2018. Boosting adversarial attacks with momentum. In Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [15] . 2019. Evading defenses to transferable adversarial examples by translation-invariant attacks. In Proceedings of the 2019 IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [16] . 2019. Efficient decision-based black-box adversarial attacks on face recognition. In Proceedings of the 2019 IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [17] . 2017. A rotation and a translation suffice: Fooling CNNs with simple transformations. arXiv:1712.02779 (2017).Google Scholar
- [18] . 2022. (Compress and Restore)N: A robust defense against adversarial attacks on image classification. ACM Transactions on Multimedia Computing, Communications, and Applications 19, 1s (2022), Article 26, 16 pages.Google Scholar
Digital Library
- [19] . 2018. AI2: Safety and robustness certification of neural networks with abstract interpretation. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
Cross Ref
- [20] . 2019. Resisting adversarial attacks using Gaussian mixture variational autoencoders. In Proceedings of the AAAI Conference on Artificial Intelligence.Google Scholar
Digital Library
- [21] . 2014. Explaining and harnessing adversarial examples. arXiv:1412.6572 (2014).Google Scholar
- [22] . 2016. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [23] . 2018. Black-box adversarial attacks with limited queries and information. In Proceedings of the International Conference on Machine Learning.Google Scholar
- [24] . 2018. Adversarial logit pairing. arXiv:1803.06373 (2018).Google Scholar
- [25] . 2017. Reluplex: An efficient SMT solver for verifying deep neural networks. In Proceedings of the International Conference on Computer Aided Verification.Google Scholar
Cross Ref
- [26] . 2016. Adversarial examples in the physical world. arXiv:1607.02533 (2016).Google Scholar
- [27] . 2018. Adversarial attacks and defences competition. arXiv:1804.00097 (2018).Google Scholar
- [28] . 2020. ROSA: Robust salient object detection against adversarial attacks. IEEE Transactions on Cybernetics 50, 11 (2020), 4835–4847.Google Scholar
Cross Ref
- [29] . 2021. Learning to fool the speaker recognition. ACM Transactions on Multimedia Computing 17, 3s (2021), Article 109, 21 pages.Google Scholar
- [30] . 2019. NATTACK: Learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In Proceedings of the International Conference on Machine Learning.Google Scholar
- [31] . 2017. Detecting adversarial examples in deep networks with adaptive noise reduction. arXiv:1705.08378 (2017).Google Scholar
- [32] . 2018. Towards robust neural networks via random self-ensemble. In Proceedings of the European Conference on Computer Vision.Google Scholar
Digital Library
- [33] . 2018. Adv-BNN: Improved adversarial defense through robust Bayesian neural network. In Proceedings of the International Conference on Learning Representations.Google Scholar
- [34] . 2017. Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083 (2017).Google Scholar
- [35] . 2018. Robustness of classifiers to universal perturbations: A geometric perspective. In Proceedings of the International Conference on Learning Representations.Google Scholar
- [36] . 2016. DeepFool: A simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [37] . 2019. Improving adversarial robustness via promoting ensemble diversity. In Proceedings of the International Conference on Machine Learning.Google Scholar
- [38] . 2017. Extending defensive distillation. arXiv:1705.05264 (2017).Google Scholar
- [39] . 2017. Practical black-box attacks against machine learning. In Proceedings of the ACM on Asia Conference on Computer and Communications Security.Google Scholar
Digital Library
- [40] . 2016. The limitations of deep learning in adversarial settings. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
Cross Ref
- [41] . 2016. Distillation as a defense to adversarial perturbations against deep neural networks. In Proceedings of the IEEE Symposium on Security and Privacy.Google Scholar
Cross Ref
- [42] . 2017. Automatic differentiation in PyTorch. In Proceedings of the 31st Conference on Neural Information Processing Systems (NeurIPS’17).Google Scholar
- [43] . 2019. PyTorch: An imperative style, high-performance deep learning library. In Advances in Neural Information Processing Systems.Google Scholar
- [44] . 2014. Very deep convolutional networks for large-scale image recognition. arXiv:1409.1556 (2014).Google Scholar
- [45] . 2017. Certifying some distributional robustness with principled adversarial training. In Proceedings of the 5th International Conference on Learning Representations (ICLR’17).Google Scholar
- [46] . 2018. Is robustness the cost of accuracy? A comprehensive study on the robustness of 18 deep image classification models. In Proceedings of the European Conference on Computer Vision (ECCV’18). 631–648.Google Scholar
Digital Library
- [47] . 2016. Rethinking the inception architecture for computer vision. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [48] . 2013. Intriguing properties of neural networks. arXiv:1312.6199 (2013).Google Scholar
- [49] . 2021. An image privacy protection algorithm based on adversarial perturbation generative networks. ACM Transactions on Multimedia Computing 17, 2 (2021), Article 43, 14 pages.Google Scholar
- [50] . 2018. Towards fast computation of certified robustness for ReLU networks. In Proceedings of the International Conference on Machine Learning.Google Scholar
- [51] . 2018. Evaluating the robustness of neural networks: An extreme value theory approach. arXiv:1801.10578 (2018).Google Scholar
- [52] . 2018. Jacobian Matrix and Determinant. Retrieved February 26, 2018 from https://www.en.wikipedia.org/wiki/Jacobian_matrix_and_determinant.Google Scholar
- [53] . 2020. Fast is better than free: Revisiting adversarial training. In Proceedings of the 8th International Conference on Learning Representations.Google Scholar
- [54] . 2019. Improving transferability of adversarial examples with input diversity. In Proceedings of the 2019 IEEE Conference on Computer Vision and Pattern Recognition.Google Scholar
Cross Ref
- [55] . 2020. Adversarial examples for Hamming space search. IEEE Transactions on Cybernetics 50, 4 (2020), 1473–1484.Google Scholar
Cross Ref
- [56] . 2018. Efficient neural network robustness certification with general activation functions. In Advances in Neural Information Processing Systems.Google Scholar
- [57] . 2019. Theoretically principled trade-off between robustness and accuracy. In Proceedings of the International Conference on Machine Learning.Google Scholar
- [58] . 2021. Object tracking by jointly exploiting frame and event domain. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 13043–13052.Google Scholar
Cross Ref
Index Terms
A Geometrical Approach to Evaluate the Adversarial Robustness of Deep Neural Networks
Recommendations
Towards Demystifying Adversarial Robustness of Binarized Neural Networks
Applied Cryptography and Network Security WorkshopsAbstractQuantized neural networks are proposed for reduced computation and memory costs. When quantized neural networks are designed for edge or terminal devices, they may be more vulnerable to adversarial perturbations. We focus on the extreme cases, ...
Sanitizing hidden activations for improving adversarial robustness of convolutional neural networks
Deep learning is gaining significant traction in a wide range of areas. Whereas, recent studies have demonstrated that deep learning exhibits the fatal weakness on adversarial examples. Due to the black-box nature and un-transparency problem of deep ...
LDN-RC: a lightweight denoising network with residual connection to improve adversarial robustness
AbstractDeep neural networks (DNNs) are prone to produce incorrect prediction results under the attack of adversarial samples. To cope with this problem, some defense methods are presented. However, most of them are based on adversarial training, which ...






Comments