Parameterizing Activation Functions for Adversarial Robustness

2022 IEEE Security and Privacy Workshops (SPW) Pub Date : 2021-10-11 DOI:10.1109/spw54247.2022.9833884

Sihui Dai, Saeed Mahloujifar, Prateek Mittal

{"title":"Parameterizing Activation Functions for Adversarial Robustness","authors":"Sihui Dai, Saeed Mahloujifar, Prateek Mittal","doi":"10.1109/spw54247.2022.9833884","DOIUrl":null,"url":null,"abstract":"Deep neural networks are known to be vulnerable to adversarially perturbed inputs. A commonly used defense is adversarial training, whose performance is influenced by model architecture. While previous works have studied the impact of varying model width and depth on robustness, the impact of using learnable parametric activation functions (PAFs) has not been studied. We study how using learnable PAFs can improve robustness in conjunction with adversarial training. We first ask the question: Can changing activation function shape improve robustness? To address this, we choose a set of PAFs with parameters that allow us to independently control behavior on negative inputs, inputs near zero, and positive inputs. Using these PAFs, we train models using adversarial training with fixed PAF shape parameter values. We find that all regions of PAF shape influence the robustness of obtained models, however only variation in certain regions (inputs near zero, positive inputs) can improve robustness over ReLU. We then combine learnable PAFs with adversarial training and analyze robust performance. We find that choice of activation function can significantly impact the robustness of the trained model. We find that only certain PAFs, such as smooth PAFs, are able to improve robustness significantly over ReLU. Overall, our work puts into context the importance of activation functions in adversarially trained models.","PeriodicalId":334852,"journal":{"name":"2022 IEEE Security and Privacy Workshops (SPW)","volume":"116 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-10-11","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"23","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2022 IEEE Security and Privacy Workshops (SPW)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/spw54247.2022.9833884","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 23

Abstract

Deep neural networks are known to be vulnerable to adversarially perturbed inputs. A commonly used defense is adversarial training, whose performance is influenced by model architecture. While previous works have studied the impact of varying model width and depth on robustness, the impact of using learnable parametric activation functions (PAFs) has not been studied. We study how using learnable PAFs can improve robustness in conjunction with adversarial training. We first ask the question: Can changing activation function shape improve robustness? To address this, we choose a set of PAFs with parameters that allow us to independently control behavior on negative inputs, inputs near zero, and positive inputs. Using these PAFs, we train models using adversarial training with fixed PAF shape parameter values. We find that all regions of PAF shape influence the robustness of obtained models, however only variation in certain regions (inputs near zero, positive inputs) can improve robustness over ReLU. We then combine learnable PAFs with adversarial training and analyze robust performance. We find that choice of activation function can significantly impact the robustness of the trained model. We find that only certain PAFs, such as smooth PAFs, are able to improve robustness significantly over ReLU. Overall, our work puts into context the importance of activation functions in adversarially trained models.

查看原文本刊更多论文

对抗鲁棒性的参数化激活函数

众所周知，深度神经网络容易受到对抗性扰动输入的影响。一种常用的防御方法是对抗性训练，其性能受模型体系结构的影响。虽然以前的工作已经研究了不同的模型宽度和深度对鲁棒性的影响，但使用可学习参数激活函数(paf)的影响尚未得到研究。我们研究了如何使用可学习的paf结合对抗性训练来提高鲁棒性。我们首先要问的问题是:改变激活函数的形状能提高鲁棒性吗?为了解决这个问题，我们选择了一组带有参数的paf，这些参数允许我们独立控制负输入、接近零的输入和正输入的行为。使用这些PAF，我们使用固定PAF形状参数值的对抗性训练来训练模型。我们发现PAF形状的所有区域都会影响所获得模型的鲁棒性，但是只有某些区域(输入接近零，正输入)的变化才能提高ReLU的鲁棒性。然后，我们将可学习的paf与对抗训练相结合，并分析其稳健性能。我们发现激活函数的选择可以显著影响训练模型的鲁棒性。我们发现，只有某些paf，如光滑paf，能够在ReLU上显著提高鲁棒性。总的来说，我们的工作将激活函数在对抗训练模型中的重要性放在了上下文中。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

2022 IEEE Security and Privacy Workshops (SPW)

自引率

0.00%

发文量