skip to main content
research-article

A Geometrical Approach to Evaluate the Adversarial Robustness of Deep Neural Networks

Published:07 June 2023Publication History
Skip Abstract Section

Abstract

Deep neural networks (DNNs) are widely used for computer vision tasks. However, it has been shown that deep models are vulnerable to adversarial attacks—that is, their performances drop when imperceptible perturbations are made to the original inputs, which may further degrade the following visual tasks or introduce new problems such as data and privacy security. Hence, metrics for evaluating the robustness of deep models against adversarial attacks are desired. However, previous metrics are mainly proposed for evaluating the adversarial robustness of shallow networks on the small-scale datasets. Although the Cross Lipschitz Extreme Value for nEtwork Robustness (CLEVER) metric has been proposed for large-scale datasets (e.g., the ImageNet dataset), it is computationally expensive and its performance relies on a tractable number of samples. In this article, we propose the Adversarial Converging Time Score (ACTS), an attack-dependent metric that quantifies the adversarial robustness of a DNN on a specific input. Our key observation is that local neighborhoods on a DNN’s output surface would have different shapes given different inputs. Hence, given different inputs, it requires different time for converging to an adversarial sample. Based on this geometry meaning, the ACTS measures the converging time as an adversarial robustness metric. We validate the effectiveness and generalization of the proposed ACTS metric against different adversarial attacks on the large-scale ImageNet dataset using state-of-the-art deep networks. Extensive experiments show that our ACTS metric is an efficient and effective adversarial metric over the previous CLEVER metric.

REFERENCES

  1. [1] Akhtar Naveed and Mian Ajmal. 2018. Threat of adversarial attacks on deep learning in computer vision: A survey. IEEE Access 6 (2018), 1441014430.Google ScholarGoogle ScholarCross RefCross Ref
  2. [2] Athalye Anish, Carlini Nicholas, and Wagner David. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In Proceedings of the International Conference on Machine Learning.Google ScholarGoogle Scholar
  3. [3] Athalye Anish, Engstrom Logan, Ilyas Andrew, and Kwok Kevin. 2018. Synthesizing robust adversarial examples. In Proceedings of the International Conference on Machine Learning.Google ScholarGoogle Scholar
  4. [4] Bastani Osbert, Ioannou Yani, Lampropoulos Leonidas, Vytiniotis Dimitrios, Nori Aditya, and Criminisi Antonio. 2016. Measuring neural net robustness with constraints. In Advances in Neural Information Processing Systems.Google ScholarGoogle Scholar
  5. [5] Bhagoji Arjun Nitin, Cullina Daniel, and Mittal Prateek. 2017. Dimensionality reduction as a defense against evasion attacks on machine learning classifiers. arXiv:1704.02654 (2017).Google ScholarGoogle Scholar
  6. [6] Brendel Wieland, Rauber Jonas, and Bethge Matthias. 2018. Decision-based adversarial attacks: Reliable attacks against black-box machine learning models. In Proceedings of the International Conference on Learning Representations.Google ScholarGoogle Scholar
  7. [7] Carlini Nicholas and Wagner David. 2017. Towards evaluating the robustness of neural networks. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle ScholarCross RefCross Ref
  8. [8] Chen Pin Yu, Sharma Yash, Zhang Huan, Yi Jinfeng, and Hsieh Cho Jui. 2017. EAD: Elastic-net attacks to deep neural networks via adversarial examples. In Proceedings of the AAAI Conference on Artificial Intelligence.Google ScholarGoogle Scholar
  9. [9] Chen Pin-Yu, Zhang Huan, Sharma Yash, Yi Jinfeng, and Hsieh Cho-Jui. 2017. ZOO: Zeroth order optimization based black-box attacks to deep neural networks without training substitute models. In Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security.Google ScholarGoogle ScholarDigital LibraryDigital Library
  10. [10] Cheng Minhao, Le Thong, Chen Pin-Yu, Yi Jinfeng, Zhang Huan, and Hsieh Cho-Jui. 2018. Query-efficient hard-label black-box attack: An optimization-based approach. In Proceedings of the International Conference on Learning Representations.Google ScholarGoogle Scholar
  11. [11] Deng J., Dong W., Socher R., Li L.-J., Li K., and Fei-Fei L.. 2009. ImageNet: A large-scale hierarchical image database. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  12. [12] Ding Jianchuan, Dong Bo, Heide Felix, Ding Yufei, Zhou Yunduo, Yin Baocai, and Yang Xin. 2022. Biologically inspired dynamic thresholds for spiking neural networks. In Advances in Neural Information Processing Systems.Google ScholarGoogle Scholar
  13. [13] Dong Yinpeng, Fu Qi-An, Yang Xiao, Pang Tianyu, Su Hang, Xiao Zihao, and Zhu Jun. 2020. Benchmarking adversarial robustness on image classification. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  14. [14] Dong Yinpeng, Liao Fangzhou, Pang Tianyu, Su Hang, Zhu Jun, Hu Xiaolin, and Li Jianguo. 2018. Boosting adversarial attacks with momentum. In Proceedings of the 2018 IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  15. [15] Dong Yinpeng, Pang Tianyu, Su Hang, and Zhu Jun. 2019. Evading defenses to transferable adversarial examples by translation-invariant attacks. In Proceedings of the 2019 IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  16. [16] Dong Yinpeng, Su Hang, Wu Baoyuan, Li Zhifeng, Liu Wei, Zhang Tong, and Zhu Jun. 2019. Efficient decision-based black-box adversarial attacks on face recognition. In Proceedings of the 2019 IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  17. [17] Engstrom Logan, Tran Brandon, Tsipras Dimitris, Schmidt Ludwig, and Madry Aleksander. 2017. A rotation and a translation suffice: Fooling CNNs with simple transformations. arXiv:1712.02779 (2017).Google ScholarGoogle Scholar
  18. [18] Ferrari Claudio, Becattini Federico, Galteri Leonardo, and Bimbo Alberto Del. 2022. (Compress and Restore)N: A robust defense against adversarial attacks on image classification. ACM Transactions on Multimedia Computing, Communications, and Applications 19, 1s (2022), Article 26, 16 pages.Google ScholarGoogle ScholarDigital LibraryDigital Library
  19. [19] Gehr Timon, Mirman Matthew, Drachsler-Cohen Dana, Tsankov Petar, Chaudhuri Swarat, and Vechev Martin. 2018. AI2: Safety and robustness certification of neural networks with abstract interpretation. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle ScholarCross RefCross Ref
  20. [20] Ghosh Partha, Losalka Arpan, and Black Michael J.. 2019. Resisting adversarial attacks using Gaussian mixture variational autoencoders. In Proceedings of the AAAI Conference on Artificial Intelligence.Google ScholarGoogle ScholarDigital LibraryDigital Library
  21. [21] Goodfellow Ian J., Shlens Jonathon, and Szegedy Christian. 2014. Explaining and harnessing adversarial examples. arXiv:1412.6572 (2014).Google ScholarGoogle Scholar
  22. [22] He Kaiming, Zhang Xiangyu, Ren Shaoqing, and Sun Jian. 2016. Deep residual learning for image recognition. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  23. [23] Ilyas Andrew, Engstrom Logan, Athalye Anish, and Lin Jessy. 2018. Black-box adversarial attacks with limited queries and information. In Proceedings of the International Conference on Machine Learning.Google ScholarGoogle Scholar
  24. [24] Kannan Harini, Kurakin Alexey, and Goodfellow Ian J.. 2018. Adversarial logit pairing. arXiv:1803.06373 (2018).Google ScholarGoogle Scholar
  25. [25] Katz Guy, Barrett Clark W., Dill David L., Julian Kyle, and Kochenderfer Mykel J.. 2017. Reluplex: An efficient SMT solver for verifying deep neural networks. In Proceedings of the International Conference on Computer Aided Verification.Google ScholarGoogle ScholarCross RefCross Ref
  26. [26] Kurakin Alexey, Goodfellow Ian, and Bengio Samy. 2016. Adversarial examples in the physical world. arXiv:1607.02533 (2016).Google ScholarGoogle Scholar
  27. [27] Kurakin Alexey, Goodfellow Ian J., Bengio Samy, Dong Yinpeng, Liao Fangzhou, Liang Ming, Pang Tianyu, et al. 2018. Adversarial attacks and defences competition. arXiv:1804.00097 (2018).Google ScholarGoogle Scholar
  28. [28] Li H., Li G., and Yu Y.. 2020. ROSA: Robust salient object detection against adversarial attacks. IEEE Transactions on Cybernetics 50, 11 (2020), 48354847.Google ScholarGoogle ScholarCross RefCross Ref
  29. [29] Li Jiguo, Zhang Xinfeng, Xu Jizheng, Ma Siwei, and Gao Wen. 2021. Learning to fool the speaker recognition. ACM Transactions on Multimedia Computing 17, 3s (2021), Article 109, 21 pages.Google ScholarGoogle Scholar
  30. [30] Li Yandong, Li Lijun, Wang Liqiang, Zhang Tong, and Gong Boqing. 2019. NATTACK: Learning the distributions of adversarial examples for an improved black-box attack on deep neural networks. In Proceedings of the International Conference on Machine Learning.Google ScholarGoogle Scholar
  31. [31] Liang Bin, Li Hongcheng, Su Miaoqiang, Li Xirong, Shi Wenchang, and Wang Xiaofeng. 2017. Detecting adversarial examples in deep networks with adaptive noise reduction. arXiv:1705.08378 (2017).Google ScholarGoogle Scholar
  32. [32] Liu Xuanqing, Cheng Minhao, Zhang Huan, and Hsieh Cho-Jui. 2018. Towards robust neural networks via random self-ensemble. In Proceedings of the European Conference on Computer Vision.Google ScholarGoogle ScholarDigital LibraryDigital Library
  33. [33] Liu Xuanqing, Li Yao, Wu Chongruo, and Hsieh Cho-Jui. 2018. Adv-BNN: Improved adversarial defense through robust Bayesian neural network. In Proceedings of the International Conference on Learning Representations.Google ScholarGoogle Scholar
  34. [34] Madry Aleksander, Makelov Aleksandar, Schmidt Ludwig, Tsipras Dimitris, and Vladu Adrian. 2017. Towards deep learning models resistant to adversarial attacks. arXiv:1706.06083 (2017).Google ScholarGoogle Scholar
  35. [35] Moosavi-Dezfooli Seyed-Mohsen, Fawzi Alhussein, Fawzi Omar, Frossard Pascal, and Soatto Stefano. 2018. Robustness of classifiers to universal perturbations: A geometric perspective. In Proceedings of the International Conference on Learning Representations.Google ScholarGoogle Scholar
  36. [36] Moosavi-Dezfooli Seyed-Mohsen, Fawzi Alhussein, and Frossard Pascal. 2016. DeepFool: A simple and accurate method to fool deep neural networks. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  37. [37] Pang Tianyu, Xu Kun, Du Chao, Chen Ning, and Zhu Jun. 2019. Improving adversarial robustness via promoting ensemble diversity. In Proceedings of the International Conference on Machine Learning.Google ScholarGoogle Scholar
  38. [38] Papernot Nicolas and McDaniel Patrick. 2017. Extending defensive distillation. arXiv:1705.05264 (2017).Google ScholarGoogle Scholar
  39. [39] Papernot Nicolas, McDaniel Patrick, Goodfellow Ian, Jha Somesh, Celik Z. Berkay, and Swami Ananthram. 2017. Practical black-box attacks against machine learning. In Proceedings of the ACM on Asia Conference on Computer and Communications Security.Google ScholarGoogle ScholarDigital LibraryDigital Library
  40. [40] Papernot Nicolas, McDaniel Patrick, Jha Somesh, Fredrikson Matt, Celik Z. Berkay, and Swami Ananthram. 2016. The limitations of deep learning in adversarial settings. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle ScholarCross RefCross Ref
  41. [41] Papernot Nicolas, McDaniel Patrick, Wu Xi, Jha Somesh, and Swami Ananthram. 2016. Distillation as a defense to adversarial perturbations against deep neural networks. In Proceedings of the IEEE Symposium on Security and Privacy.Google ScholarGoogle ScholarCross RefCross Ref
  42. [42] Paszke Adam, Gross Sam, Chintala Soumith, Chanan Gregory, Yang Edward, DeVito Zachary, Lin Zeming, Desmaison Alban, Antiga Luca, and Lerer Adam. 2017. Automatic differentiation in PyTorch. In Proceedings of the 31st Conference on Neural Information Processing Systems (NeurIPS’17).Google ScholarGoogle Scholar
  43. [43] Paszke Adam, Gross Sam, Massa Francisco, Lerer Adam, Bradbury James, Chanan Gregory, Killeen Trevor, et al. 2019. PyTorch: An imperative style, high-performance deep learning library. In Advances in Neural Information Processing Systems.Google ScholarGoogle Scholar
  44. [44] Simonyan Karen and Zisserman Andrew. 2014. Very deep convolutional networks for large-scale image recognition. arXiv:1409.1556 (2014).Google ScholarGoogle Scholar
  45. [45] Sinha Aman, Namkoong Hongseok, Volpi Riccardo, and Duchi John. 2017. Certifying some distributional robustness with principled adversarial training. In Proceedings of the 5th International Conference on Learning Representations (ICLR’17).Google ScholarGoogle Scholar
  46. [46] Su Dong, Zhang Huan, Chen Hongge, Yi Jinfeng, Chen Pin-Yu, and Gao Yupeng. 2018. Is robustness the cost of accuracy? A comprehensive study on the robustness of 18 deep image classification models. In Proceedings of the European Conference on Computer Vision (ECCV’18). 631648.Google ScholarGoogle ScholarDigital LibraryDigital Library
  47. [47] Szegedy Christian, Vanhoucke Vincent, Ioffe Sergey, Shlens Jonathon, and Wojna Zbigniew. 2016. Rethinking the inception architecture for computer vision. In Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  48. [48] Szegedy Christian, Zaremba Wojciech, Sutskever Ilya, Bruna Joan, Erhan Dumitru, Goodfellow Ian, and Fergus Rob. 2013. Intriguing properties of neural networks. arXiv:1312.6199 (2013).Google ScholarGoogle Scholar
  49. [49] Tong Chao, Zhang Mengze, Lang Chao, and Zheng Zhigao. 2021. An image privacy protection algorithm based on adversarial perturbation generative networks. ACM Transactions on Multimedia Computing 17, 2 (2021), Article 43, 14 pages.Google ScholarGoogle Scholar
  50. [50] Weng Tsui Wei, Zhang Huan, Chen Hongge, Song Zhao, Hsieh Cho Jui, Boning Duane, Dhillon Inderjit S., and Daniel Luca. 2018. Towards fast computation of certified robustness for ReLU networks. In Proceedings of the International Conference on Machine Learning.Google ScholarGoogle Scholar
  51. [51] Weng Tsui-Wei, Zhang Huan, Chen Pin-Yu, Yi Jinfeng, Su Dong, Gao Yupeng, Hsieh Cho-Jui, and Daniel Luca. 2018. Evaluating the robustness of neural networks: An extreme value theory approach. arXiv:1801.10578 (2018).Google ScholarGoogle Scholar
  52. [52] Wikipedia. 2018. Jacobian Matrix and Determinant. Retrieved February 26, 2018 from https://www.en.wikipedia.org/wiki/Jacobian_matrix_and_determinant.Google ScholarGoogle Scholar
  53. [53] Wong Eric, Rice Leslie, and Kolter J. Zico. 2020. Fast is better than free: Revisiting adversarial training. In Proceedings of the 8th International Conference on Learning Representations.Google ScholarGoogle Scholar
  54. [54] Xie Cihang, Zhang Zhishuai, Zhou Yuyin, Bai Song, Wang Jianyu, Ren Zhou, and Yuille Alan L.. 2019. Improving transferability of adversarial examples with input diversity. In Proceedings of the 2019 IEEE Conference on Computer Vision and Pattern Recognition.Google ScholarGoogle ScholarCross RefCross Ref
  55. [55] Yang E., Liu T., Deng C., and Tao D.. 2020. Adversarial examples for Hamming space search. IEEE Transactions on Cybernetics 50, 4 (2020), 14731484.Google ScholarGoogle ScholarCross RefCross Ref
  56. [56] Zhang Huan, Weng Tsui-Wei, Chen Pin-Yu, Hsieh Cho-Jui, and Daniel Luca. 2018. Efficient neural network robustness certification with general activation functions. In Advances in Neural Information Processing Systems.Google ScholarGoogle Scholar
  57. [57] Zhang Hongyang, Yu Yaodong, Jiao Jiantao, Xing Eric P., Ghaoui Laurent El, and Jordan Michael I.. 2019. Theoretically principled trade-off between robustness and accuracy. In Proceedings of the International Conference on Machine Learning.Google ScholarGoogle Scholar
  58. [58] Zhang Jiqing, Yang Xin, Fu Yingkai, Wei Xiaopeng, Yin Baocai, and Dong Bo. 2021. Object tracking by jointly exploiting frame and event domain. In Proceedings of the IEEE/CVF International Conference on Computer Vision. 1304313052.Google ScholarGoogle ScholarCross RefCross Ref

Index Terms

  1. A Geometrical Approach to Evaluate the Adversarial Robustness of Deep Neural Networks

      Recommendations

      Comments

      Login options

      Check if you have access through your login credentials or your institution to get full access on this article.

      Sign in

      Full Access

      • Published in

        cover image ACM Transactions on Multimedia Computing, Communications, and Applications
        ACM Transactions on Multimedia Computing, Communications, and Applications  Volume 19, Issue 5s
        October 2023
        280 pages
        ISSN:1551-6857
        EISSN:1551-6865
        DOI:10.1145/3599694
        • Editor:
        • Abdulmotaleb El Saddik
        Issue’s Table of Contents

        Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

        Publisher

        Association for Computing Machinery

        New York, NY, United States

        Publication History

        • Published: 7 June 2023
        • Online AM: 15 March 2023
        • Accepted: 26 February 2023
        • Revised: 19 December 2022
        • Received: 3 September 2022
        Published in tomm Volume 19, Issue 5s

        Permissions

        Request permissions about this article.

        Request Permissions

        Check for updates

        Qualifiers

        • research-article
      • Article Metrics

        • Downloads (Last 12 months)274
        • Downloads (Last 6 weeks)47

        Other Metrics

      PDF Format

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Full Text

      View this article in Full Text.

      View Full Text
      About Cookies On This Site

      We use cookies to ensure that we give you the best experience on our website.

      Learn more

      Got it!