Defenses against adversarial examples, such as adversarial training, are typically tailored
to a single perturbation type (e.g., small ℓ∞-noise). For other perturbations, these defenses
offer no guarantees and, at times, even increase the model’s vulnerability. Our aim is to
understand the reasons underlying this robustness trade-off, and to train models that are
simultaneously robust to multiple perturbation types.
We prove that a trade-off in robustness to different types of ℓp-bounded and spatial perturbations must exist in a natural and simple statistical setting. We corroborate our formal
analysis by demonstrating similar robustness trade-offs on MNIST and CIFAR10. We propose new multi-perturbation adversarial training schemes, as well as an efficient attack for the
ℓ1-norm, and use these to show that models trained against multiple attacks fail to achieve
robustness competitive with that of models trained on each attack individually. In particular,
we find that adversarial training with first-order ℓ∞, ℓ1 and ℓ2 attacks on MNIST achieves
merely 50% robust accuracy, partly because of gradient-masking. Finally, we propose affine
attacks that linearly interpolate between perturbation types and further degrade the accuracy
of adversarially trained models.
more »
« less
Characteristic Examples: High-Robustness, Low-Transferability Fingerprinting of Neural Networks
This paper proposes Characteristic Examples for effectively fingerprinting deep neural networks, featuring high-robustness to the base model against model pruning as well as low-transferability to unassociated models. This is the first work taking both robustness and transferability into consideration for generating realistic fingerprints, whereas current methods lack practical assumptions and may incur large false positive rates. To achieve better trade-off between robustness and transferability, we propose three kinds of characteristic examples: vanilla C-examples, RC-examples, and LTRC-example, to derive fingerprints from the original base model. To fairly characterize the trade-off between robustness and transferability, we propose Uniqueness Score, a comprehensive metric that measures the difference between robustness and transferability, which also serves as an indicator to the false alarm problem. Extensive experiments demonstrate that the proposed characteristic examples can achieve superior performance when compared with existing fingerprinting methods. In particular, for VGG ImageNet models, using LTRC-examples gives 4X higher uniqueness score than the baseline method and does not incur any false positives.
more » « less- Award ID(s):
- 1929300
- NSF-PAR ID:
- 10297119
- Date Published:
- Journal Name:
- International Joint Conferences on Artificial Intelligence Organization (IJCAI)
- Page Range / eLocation ID:
- 575 to 582
- Format(s):
- Medium: X
- Sponsoring Org:
- National Science Foundation
More Like this
-
-
Perumalla, Kalyan ; Lopez Jr., Juan ; Siraj, Ambareen (Ed.)Executable steganography, the hiding of software machine code inside of a larger program, is a potential approach to introduce new software protection constructs such as watermarks or fingerprints. Software fingerprinting is, therefore, a process similar to steganography, hiding data within other data. The goal of fingerprinting is to hide a unique secret message, such as a serial number, into copies of an executable program in order to provide proof of ownership of that program. Fingerprints are a special case of watermarks, with the difference being that each fingerprint is unique to each copy of a program. Traditionally, researchers describe four aims that a software fingerprint should achieve. These include the fingerprint should be difficult to remove, it should not be obvious, it should have a low false positive rate, and it should have negligible impact on performance. In this research, we propose to extend these objectives and introduce a fifth aim: that software fingerprints should be machine independent. As a result, the same fingerprinting method can be used regardless of the architecture used to execute the program. Hence, this paper presents an approach towards the realization of machine-independent fingerprinting of executable programs. We make use of Low-Level Virtual Machine (LLVM) intermediate representation during the software compilation process to demonstrate both a simple static fingerprinting method as well as a dynamic method, which displays our aim of hardware independent fingerprinting. The research contribution includes a realization of the approach using the LLVM infrastructure and provides a proof of concept for both simple static and dynamic watermarks that are architecture neutral.more » « less
-
more » « less
Pathogens exhibit a rich variety of life history strategies, shaped by natural selection. An important pathogen life history characteristic is the propensity to induce an asymptomatic yet productive (transmissive) stage at the beginning of an infection. This characteristic is subject to complex trade-offs, ranging from immunological considerations to population-level social processes. We aim to classify the evolutionary dynamics of such asymptomatic behavior of pathogens (hereafter “latency”) in order to unify epidemiology and evolution for this life history strategy. We focus on a simple epidemiological model with two infectious stages, where hosts in the first stage can be partially or fully asymptomatic. Immunologically, there is a trade-off between transmission and progression in this first stage. For arbitrary trade-offs, we derive different conditions that guarantee either at least one evolutionarily stable strategy (ESS) at zero, some, or maximal latency of the first stage or, perhaps surprisingly, at least one unstable evolutionarily singular strategy. In this latter case, there is bistability between zero and nonzero (possibly maximal) latency. We then prove the uniqueness of interior evolutionarily singular strategies for power-law and exponential trade-offs: Thus, bistability is always between zero and maximal latency. Overall, previous multistage infection models can be summarized with a single model that includes evolutionary processes acting on latency. Since small changes in parameter values can lead to abrupt transitions in evolutionary dynamics, appropriate disease control strategies could have a substantial impact on the evolution of first-stage latency.
-
Interoperability between contact to contactless images in fingerprint matching is a key factor in the success of contactless fingerprinting devices, which have recently witnessed an increasing demand for biometric authentication. However, due to the presence of perspective distortion and the absence of elastic deformation in contactless fingerphotos, direct matching between contactless fingerprint probe images and legacy contact-based gallery images produces a low accuracy. In this paper, to improve interoperability, we propose a coupled deep learning framework that consists of two Conditional Generative Adversarial Networks. Generative modeling is employed to find a projection that maximizes the pairwise correlation between these two domains in a common latent embedding subspace. Extensive experiments on three challenging datasets demonstrate significant performance improvements over the state-of-the-art methods and two top-performing commercial off-the-shelf SDKs, i.e., Verifinger 12.0 and Innovatrics. We also achieve a high-performance gain by combining multiple fingers of the same subject using a score fusion model.more » « less
-
null (Ed.)Adversarial training is an effective defense method to protect classification models against adversarial attacks. However, one limitation of this approach is that it can re- quire orders of magnitude additional training time due to high cost of generating strong adversarial examples dur- ing training. In this paper, we first show that there is high transferability between models from neighboring epochs in the same training process, i.e., adversarial examples from one epoch continue to be adversarial in subsequent epochs. Leveraging this property, we propose a novel method, Adversarial Training with Transferable Adversarial Examples (ATTA), that can enhance the robustness of trained models and greatly improve the training efficiency by accumulating adversarial perturbations through epochs. Compared to state-of-the-art adversarial training methods, ATTA enhances adversarial accuracy by up to 7.2% on CIFAR10 and requires 12 ∼ 14× less training time on MNIST and CIFAR10 datasets with comparable model robustness.more » « less
- Free Publicly Accessible Full Text
-
Accepted Manuscript1.0
- Conference Paper:
- https://doi.org/10.24963/ijcai.2021/80
