Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security最新文献

筛选

英文中文

SAT: Improving Adversarial Training via Curriculum-Based Loss Smoothing SAT:通过基于课程的损失平滑改进对抗性训练

Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security Pub Date : 2020-03-18 DOI: 10.1145/3474369.3486878

Chawin Sitawarin, S. Chakraborty, David A. Wagner

{"title":"SAT: Improving Adversarial Training via Curriculum-Based Loss Smoothing","authors":"Chawin Sitawarin, S. Chakraborty, David A. Wagner","doi":"10.1145/3474369.3486878","DOIUrl":"https://doi.org/10.1145/3474369.3486878","url":null,"abstract":"Adversarial training (AT) has become a popular choice for training robust networks. However, it tends to sacrifice clean accuracy heavily in favor of robustness and suffers from a large generalization error. To address these concerns, we propose Smooth Adversarial Training (SAT), guided by our analysis on the eigenspectrum of the loss Hessian. We find that curriculum learning, a scheme that emphasizes on starting \"easy'' and gradually ramping up on the \"difficulty'' of training, smooths the adversarial loss landscape for a suitably chosen difficulty metric. We present a general formulation for curriculum learning in the adversarial setting and propose two difficulty metrics based on the maximal Hessian eigenvalue (H-SAT) and the softmax probability (P-SA). We demonstrate that SAT stabilizes network training even for a large perturbation norm and allows the network to operate at a better clean accuracy versus robustness trade-off curve compared to AT. This leads to a significant improvement in both clean accuracy and robustness compared to AT, TRADES, and other baselines. To highlight a few results, our best model improves normal and robust accuracy by 6% and 1% on CIFAR-100 compared to AT, respectively. On Imagenette, a ten-class subset of ImageNet, our model outperforms AT by 23% and 3% on normal and robust accuracy respectively.","PeriodicalId":411057,"journal":{"name":"Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security","volume":"25 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-03-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125628777","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 29

NNoculation: Catching BadNets in the Wild 接种:在野外捕捉恶意网络

Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security Pub Date : 2020-02-19 DOI: 10.1145/3474369.3486874

A. Veldanda, Kang Liu, Benjamin Tan, P. Krishnamurthy, F. Khorrami, R. Karri, Brendan Dolan-Gavitt, S. Garg

{"title":"NNoculation: Catching BadNets in the Wild","authors":"A. Veldanda, Kang Liu, Benjamin Tan, P. Krishnamurthy, F. Khorrami, R. Karri, Brendan Dolan-Gavitt, S. Garg","doi":"10.1145/3474369.3486874","DOIUrl":"https://doi.org/10.1145/3474369.3486874","url":null,"abstract":"This paper proposes a novel two-stage defense (NNoculation) against backdoored neural networks (BadNets) that, repairs a BadNet both pre-deployment and online in response to backdoored test inputs encountered in the field. In the pre-deployment stage, NNoculation retrains the BadNet with random perturbations of clean validation inputs to partially reduce the adversarial impact of a backdoor. Post-deployment, NNoculation detects and quarantines backdoored test inputs by recording disagreements between the original and pre-deployment patched networks. A CycleGAN is then trained to learn transformations between clean validation and quarantined inputs; i.e., it learns to add triggers to clean validation images. Backdoored validation images along with their correct labels are used to further retrain the pre-deployment patched network, yielding our final defense. Empirical evaluation on a comprehensive suite of backdoor attacks show that NNoculation outperforms all state-of-the-art defenses that make restrictive assumptions and only work on specific backdoor attacks, or fail on adaptive attacks. In contrast, NNoculation makes minimal assumptions and provides an effective defense, even under settings where existing defenses are ineffective due to attackers circumventing their restrictive assumptions.","PeriodicalId":411057,"journal":{"name":"Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security","volume":"14 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2020-02-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132986554","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}

引用次数: 11

首页上一页