More Like this

1. A Manifold View of Adversarial Risk

   Zhang, Wenjia ; Zhang, Yikai ; Hu, Xiaoling ; Goswami, Mayank ; Chen, Chao ; Metaxas, Dimitris N. ( April 2022 , Proceedings of The 25th International Conference on Artificial Intelligence and Statistics)

   The adversarial risk of a machine learning model has been widely studied. Most previous works assume that the data lies in the whole ambient space. We propose to take a new angle and take the manifold assumption into consideration. Assuming data lies in a manifold, we investigate two new types of adversarial risk, the normal adversarial risk due to perturbation along normal direction, and the in-manifold adversarial risk due to perturbation within the manifold. We prove that the classic adversarial risk can be bounded from both sides using the normal and in-manifold adversarial risks. We also show with a surprisingly pessimistic case that the standard adversarial risk can be nonzero even when both normal and in-manifold risks are zero. We finalize the paper with empirical studies supporting our theoretical results. Our results suggest the possibility of improving the robustness of a classifier by only focusing on the normal adversarial risk. 

   more » « less
2. Tail associations in ecological variables and their impact on extinction risk

   https://doi.org/10.1002/ecs2.3132  

   Ghosh, Shyamolina ; Sheppard, Lawrence W. ; Reuman, Daniel C. ( May 2020 , Ecosphere)

   Extreme climatic events (ECEs) are becoming more frequent and more intense due to climate change. Furthermore, there is reason to believe ECEs may modify tail associations between distinct population vital rates, or between values of an environmental variable measured in different locations. Tail associations between two variables are associations that occur between values in the left or right tails of the distributions of the variables. Two positively associated variables can be principally left‐tail associated (i.e., more correlated when they take low values than when they take high values) or right‐tail associated (more correlated when they take high than low values), even with the same overall correlation coefficient in both cases. We tested, in the context of non‐spatial stage‐structured matrix models, whether tail associations between stage‐specific vital rates may influence extinction risk. We also tested whether the nature of spatial tail associations of environmental variables can influence metapopulation extinction risk. For instance, if low values of an environmental variable reduce the growth rates of local populations, one may expect that left‐tail associations increase metapopulation extinction risks because then environmental catastrophes are spatially synchronized, presumably reducing the potential for rescue effects. For the non‐spatial, stage‐structured models we considered, left‐tail associations between vital rates did accentuate extinction risk compared to right‐tail associations, but the effect was small. In contrast, we showed that density dependence interacts with tail associations to influence metapopulation extinction risk substantially: For population models showing undercompensatory density dependence, left‐tail associations in environmental variables often strongly accentuated and right‐tail associations mitigated extinction risk, whereas the reverse was usually true for models showing overcompensatory density dependence. Tail associations and their asymmetries are taken into account in assessing risks in finance and other fields, but to our knowledge, our study is one of the first to consider how tail associations influence population extinction risk. Our modeling results provide an initial demonstration of a new mechanism influencing extinction risks and, in our view, should help motivate more comprehensive study of the mechanism and its importance for real populations in future work.

    

   more » « less
3. Dual Manifold Adversarial Robustness: Defense against Lp and non-Lp Adversarial Attacks

   Lin, Wei-An ; Pong Lau, Chun ; Levine, Alexander ; Chellappa, Rama ; Feizi, Soheil ( January 2020 , Advances in Neural Information Processing Systems Foundation (NeurIPS))

   null (Ed.)

   Adversarial training is a popular defense strategy against attack threat models with bounded Lp norms. However, it often degrades the model performance on normal images and the defense does not generalize well to novel attacks. Given the success of deep generative models such as GANs and VAEs in characterizing the underlying manifold of images, we investigate whether or not the aforementioned problems can be remedied by exploiting the underlying manifold information. To this end, we construct an "On-Manifold ImageNet" (OM-ImageNet) dataset by projecting the ImageNet samples onto the manifold learned by StyleGSN. For this dataset, the underlying manifold information is exact. Using OM-ImageNet, we first show that adversarial training in the latent space of images improves both standard accuracy and robustness to on-manifold attacks. However, since no out-of-manifold perturbations are realized, the defense can be broken by Lp adversarial attacks. We further propose Dual Manifold Adversarial Training (DMAT) where adversarial perturbations in both latent and image spaces are used in robustifying the model. Our DMAT improves performance on normal images, and achieves comparable robustness to the standard adversarial training against Lp attacks. In addition, we observe that models defended by DMAT achieve improved robustness against novel attacks which manipulate images by global color shifts or various types of image filtering. Interestingly, similar improvements are also achieved when the defended models are tested on out-of-manifold natural images. These results demonstrate the potential benefits of using manifold information in enhancing robustness of deep learning models against various types of novel adversarial attacks. 

   more » « less
4. A Synergetic Attack against Neural Network Classifiers combining Backdoor and Adversarial Examples

   https://doi.org/10.1109/BigData52589.2021.9671964  

   Liu, Guanxiong ; Khalil, Issa ; Khreishah, Abdallah ; Phan, NhatHai ( October 2021 , IEEE International Conference on Big Data)

   The pervasiveness of neural networks (NNs) in critical computer vision and image processing applications makes them very attractive for adversarial manipulation. A large body of existing research thoroughly investigates two broad categories of attacks targeting the integrity of NN models. The first category of attacks, commonly called Adversarial Examples, perturbs the model's inference by carefully adding noise into input examples. In the second category of attacks, adversaries try to manipulate the model during the training process by implanting Trojan backdoors. Researchers show that such attacks pose severe threats to the growing applications of NNs and propose several defenses against each attack type individually. However, such one-sided defense approaches leave potentially unknown risks in real-world scenarios when an adversary can unify different attacks to create new and more lethal ones bypassing existing defenses. In this work, we show how to jointly exploit adversarial perturbation and model poisoning vulnerabilities to practically launch a new stealthy attack, dubbed AdvTrojan. AdvTrojan is stealthy because it can be activated only when: 1) a carefully crafted adversarial perturbation is injected into the input examples during inference, and 2) a Trojan backdoor is implanted during the training process of the model. We leverage adversarial noise in the input space to move Trojan-infected examples across the model decision boundary, making it difficult to detect. The stealthiness behavior of AdvTrojan fools the users into accidentally trusting the infected model as a robust classifier against adversarial examples. AdvTrojan can be implemented by only poisoning the training data similar to conventional Trojan backdoor attacks. Our thorough analysis and extensive experiments on several benchmark datasets show that AdvTrojan can bypass existing defenses with a success rate close to 100% in most of our experimental scenarios and can be extended to attack federated learning as well as high-resolution images. 

   more » « less
5. TextHoaxer: Budgeted Hard-Label Adversarial Attacks on Text

   https://doi.org/10.1609/aaai.v36i4.20303  

   Ye, Muchao ; Miao, Chenglin ; Wang, Ting ; Ma, Fenglong ( June 2022 , Proceedings of the AAAI Conference on Artificial Intelligence)

   This paper focuses on a newly challenging setting in hard-label adversarial attacks on text data by taking the budget information into account. Although existing approaches can successfully generate adversarial examples in the hard-label setting, they follow an ideal assumption that the victim model does not restrict the number of queries. However, in real-world applications the query budget is usually tight or limited. Moreover, existing hard-label adversarial attack techniques use the genetic algorithm to optimize discrete text data by maintaining a number of adversarial candidates during optimization, which can lead to the problem of generating low-quality adversarial examples in the tight-budget setting. To solve this problem, in this paper, we propose a new method named TextHoaxer by formulating the budgeted hard-label adversarial attack task on text data as a gradient-based optimization problem of perturbation matrix in the continuous word embedding space. Compared with the genetic algorithm-based optimization, our solution only uses a single initialized adversarial example as the adversarial candidate for optimization, which significantly reduces the number of queries. The optimization is guided by a new objective function consisting of three terms, i.e., semantic similarity term, pair-wise perturbation constraint, and sparsity constraint. Semantic similarity term and pair-wise perturbation constraint can ensure the high semantic similarity of adversarial examples from both comprehensive text-level and individual word-level, while the sparsity constraint explicitly restricts the number of perturbed words, which is also helpful for enhancing the quality of generated text. We conduct extensive experiments on eight text datasets against three representative natural language models, and experimental results show that TextHoaxer can generate high-quality adversarial examples with higher semantic similarity and lower perturbation rate under the tight-budget setting. 

   more » « less