Attribute-Guided Adversarial Training for Robustness to Natural Perturbations

Gokhale, Tejas; Anirudh, Rushil; Kailkhura, Bhavya; J. Thiagarajan, Jayaraman; Baral, Chitta; Yang, Yezhou

doi:10.1609/aaai.v35i9.16927

Title: Attribute-Guided Adversarial Training for Robustness to Natural Perturbations

Full Record
Other Related Research

Abstract

We report while existing work in robust deep learning has focused on small pixel-level norm-based perturbations, this may not account for perturbations encountered in several real world settings. In many such cases although test data might not be available, broad specifications about the types of perturbations (such as an unknown degree of rotation) may be known. We consider a setup where robustness is expected over an unseen test domain that is not i.i.d. but deviates from the training domain. While this deviation may not be exactly known, its broad characterization is specified a priori, in terms of attributes. We propose an adversarial training approach which learns to generate new samples so as to maximize exposure of the classifier to the attributes-space, without having access to the data from the test domain. Our adversarial training solves a min-max optimization problem, with the inner maximization generating adversarial perturbations, and the outer minimization finding model parameters by optimizing the loss on adversarial perturbations generated from the inner maximization. We demonstrate the applicability of our approach on three types of naturally occurring perturbations --- object-related shifts, geometric transformations, and common image corruptions. Our approach enables deep neural networks to be robust against a widemore »« less

Authors:

Gokhale, Tejas ^[1]; Anirudh, Rushil ^[2]; Kailkhura, Bhavya ^[1]; J. Thiagarajan, Jayaraman ^[1]; Baral, Chitta ^[1]; Yang, Yezhou ^[1]

Arizona State University, Tempe, AZ (United States)
Lawrence Livermore National Lab. (LLNL), Livermore, CA (United States)

Publication Date:: Tue May 18 00:00:00 EDT 2021

Research Org.:: Lawrence Livermore National Lab. (LLNL), Livermore, CA (United States)

Sponsoring Org.:: USDOE National Nuclear Security Administration (NNSA); USDOE Laboratory Directed Research and Development (LDRD) Program

OSTI Identifier:: 1888097

Report Number(s):: LLNL-JRNL-814425
Journal ID: ISSN 2159-5399; 1023019

Grant/Contract Number:: AC52-07NA27344

Resource Type:: Accepted Manuscript

Journal Name:: Proceedings of the AAAI Conference on Artificial Intelligence

Additional Journal Information:: Journal Volume: 35; Journal Issue: 9; Conference: 35. AAAI Conference on Artificial Intelligence, Held Virtually, 2-9 Feb 2021; Journal ID: ISSN 2159-5399

Publisher:: Association for the Advancement of Artificial Intelligence

Country of Publication:: United States

Language:: English

Subject:: 97 MATHEMATICS AND COMPUTING; advanced learning; robustness

Citation Formats


                    Gokhale, Tejas, Anirudh, Rushil, Kailkhura, Bhavya, J. Thiagarajan, Jayaraman, Baral, Chitta, and Yang, Yezhou. Attribute-Guided Adversarial Training for Robustness to Natural Perturbations.  United States: N. p., 2021. 
Web.  doi:10.1609/aaai.v35i9.16927.

Copy to clipboard


                    Gokhale, Tejas, Anirudh, Rushil, Kailkhura, Bhavya, J. Thiagarajan, Jayaraman, Baral, Chitta, & Yang, Yezhou. Attribute-Guided Adversarial Training for Robustness to Natural Perturbations.  United States.  https://doi.org/10.1609/aaai.v35i9.16927

Copy to clipboard


                    Gokhale, Tejas, Anirudh, Rushil, Kailkhura, Bhavya, J. Thiagarajan, Jayaraman, Baral, Chitta, and Yang, Yezhou. Tue .  
"Attribute-Guided Adversarial Training for Robustness to Natural Perturbations".  United States.  https://doi.org/10.1609/aaai.v35i9.16927.  https://www.osti.gov/servlets/purl/1888097.

Copy to clipboard


                    
@article{osti_1888097,

  title        = {Attribute-Guided Adversarial Training for Robustness to Natural Perturbations},

  author       = {Gokhale, Tejas and Anirudh, Rushil and Kailkhura, Bhavya and J. Thiagarajan, Jayaraman and Baral, Chitta and Yang, Yezhou},

  abstractNote = {We report while existing work in robust deep learning has focused on small pixel-level norm-based perturbations, this may not account for perturbations encountered in several real world settings. In many such cases although test data might not be available, broad specifications about the types of perturbations (such as an unknown degree of rotation) may be known. We consider a setup where robustness is expected over an unseen test domain that is not i.i.d. but deviates from the training domain. While this deviation may not be exactly known, its broad characterization is specified a priori, in terms of attributes. We propose an adversarial training approach which learns to generate new samples so as to maximize exposure of the classifier to the attributes-space, without having access to the data from the test domain. Our adversarial training solves a min-max optimization problem, with the inner maximization generating adversarial perturbations, and the outer minimization finding model parameters by optimizing the loss on adversarial perturbations generated from the inner maximization. We demonstrate the applicability of our approach on three types of naturally occurring perturbations --- object-related shifts, geometric transformations, and common image corruptions. Our approach enables deep neural networks to be robust against a wide range of naturally occurring perturbations. We demonstrate the usefulness of the proposed approach by showing the robustness gains of deep neural networks trained using our adversarial training on MNIST, CIFAR-10, and a new variant of the CLEVR dataset.},

  doi          = {10.1609/aaai.v35i9.16927},

  journal      = {Proceedings of the AAAI Conference on Artificial Intelligence},

  number       = 9,

  volume       = 35,

  place        = {United States},

  year         = {Tue May 18 00:00:00 EDT 2021},

  month        = {Tue May 18 00:00:00 EDT 2021}

}

Copy to clipboard

Journal Article:

Free Publicly Available Full Text

Accepted Manuscript (DOE)

Publisher's Version of Record

https://doi.org/10.1609/aaai.v35i9.16927

Other availability

Search WorldCat to find libraries that may hold this journal

Save / Share:

Export Metadata

Save to My Library

Similar Records in DOE PAGES and OSTI.GOV collections:

ASK: Adversarial Soft k-Nearest Neighbor Attack and Defense

Journal Article Wang, Ren ; Chen, Tianqi ; Yao, Philip ; ... - IEEE Access

K-Nearest Neighbor (kNN)-based deep learning methods have been applied to many applications due to their simplicity and geometric interpretability. However, the robustness of kNN-based deep classification models has not been thoroughly explored and kNN attack strategies are underdeveloped. In this paper, we first propose an Adversarial Soft kNN (ASK) loss for developing more effective kNN-based deep neural network attack strategies and designing better defense methods against them. Our ASK loss provides a differentiable surrogate of the expected kNN classification error. It is also interpretable as it preserves the mutual information between the perturbed input and the in-class-reference data. We usemore »« less
https://doi.org/10.1109/access.2022.3209243

Full Text Available
Adaptive activation functions accelerate convergence in deep and physics-informed neural networks

Journal Article Jagtap, Ameya D. ; Kawaguchi, Kenji ; Karniadakis, George Em - Journal of Computational Physics

Here we employ adaptive activation functions for regression in deep and physics-informed neural networks (PINNs) to approximate smooth and discontinuous functions as well as solutions of linear and nonlinear partial differential equations. In particular, we solve the nonlinear Klein-Gordon equation, which has smooth solutions, the nonlinear Burgers equation, which can admit high gradient solutions, and the Helmholtz equation. We introduce a scalable hyper-parameter in the activation function, which can be optimized to achieve best performance of the network as it changes dynamically the topology of the loss function involved in the optimization process. The adaptive activation function has better learningmore »« less
Cited by 271
https://doi.org/10.1016/j.jcp.2019.109136

Full Text Available
Transferable Adversarial Attack on 3D Object Tracking in Point Cloud

Conference Lin, Yuewei ; Liu, Xiaoqiong ; Lin, Yuewei ; ...

3D point cloud object tracking has recently witnessed considerable progress relying on deep learning. Such progress, however, mainly focuses on improving tracking accuracy. The risk, especially considering that deep neural network is vulnerable to adversarial perturbations, of a tracker being attacked is often neglected and rarely explored. In order to attract attentions to this potential risk and facilitate the study of robustness in point cloud tracking, we introduce a novel transferable attack network (TAN) to deceive 3D point cloud tracking. Specifically, TAN consists of a 3D adversarial generator, which is trained with a carefully designed multi-fold drift (MFD) loss. Themore »« less
https://doi.org/10.1007/978-3-031-27818-1_37

Full Text Available
Effects of Jacobian Matrix Regularization on the Detectability of Adversarial Samples

Technical Report Eydenberg, Michael Shannon ; Khanna, Kanad ; Custer, Ryan

The well-known vulnerability of Deep Neural Networks to adversarial samples has led to a rapid cycle of increasingly sophisticated attack algorithms and proposed defenses. While most contemporary defenses have been shown to be vulnerable to carefully configured attacks, methods based on gradient regularization and out-of-distribution detection have attracted much interest recently by demonstrating higher resilience to a broad range of attack algorithms. However, no study has yet investigated the effect of combining these techniques. In this paper, we consider the effect of Jacobian matrix regularization on the detectability of adversarial samples on the CIFAR-10 image benchmark dataset. We find thatmore »« less
https://doi.org/10.2172/1763568

Full Text Available
Exploiting the Local Parabolic Landscapes of Adversarial Losses to Accelerate Black-Box Adversarial Attack

Conference Tran, Hoang ; Lu, Dan ; Zhang, Guannan

Existing black-box adversarial attacks on image classifiers update the perturbation at each iteration from only a small number of queries of the loss function. Since the queries contain very limited information about the loss, black-box methods usually require much more queries than white-box methods. We propose to improve the query efficiency of black-box methods by exploiting the smoothness of the local loss landscape. However, many adversarial losses are not locally smooth with respect to pixel perturbations. To resolve this issue, our first contribution is to theoretically and experimentally justify that the adversarial losses of many standard and robust image classifiersmore »« less
https://doi.org/10.1007/978-3-031-20065-6_19

Full Text Available

Similar Records