Attack as defense: Characterizing adversarial examples using robustness

Attack as defense: Characterizing adversarial examples using robustness

As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning softwar...

Full description

Saved in:
Bibliographic Details
Main Authors: ZHAO, Zhe, CHEN, Guangke, WANG, Jingyi, YANG, Yiwei, SONG, Fu, SUN, Jun
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2021
Subjects:
Deep learning
neural networks
defense
adversarial examples
Software Engineering
Online Access:https://ink.library.smu.edu.sg/sis_research/6213
https://ink.library.smu.edu.sg/context/sis_research/article/7216/viewcontent/attack_as_defense.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-7216
record_format dspace
spelling sg-smu-ink.sis_research-72162022-01-21T05:25:30Z Attack as defense: Characterizing adversarial examples using robustness ZHAO, Zhe CHEN, Guangke WANG, Jingyi YANG, Yiwei SONG, Fu SUN, Jun As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10. 2021-07-01T07:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/6213 info:doi/10.1145/3460319.3464822 https://ink.library.smu.edu.sg/context/sis_research/article/7216/viewcontent/attack_as_defense.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Deep learning neural networks defense adversarial examples Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Deep learning
neural networks
defense
adversarial examples
Software Engineering
spellingShingle Deep learning
neural networks
defense
adversarial examples
Software Engineering
ZHAO, Zhe
CHEN, Guangke
WANG, Jingyi
YANG, Yiwei
SONG, Fu
SUN, Jun
Attack as defense: Characterizing adversarial examples using robustness
description As a new programming paradigm, deep learning has expanded its application to many real-world problems. At the same time, deep learning based software are found to be vulnerable to adversarial attacks. Though various defense mechanisms have been proposed to improve robustness of deep learning software, many of them are ineffective against adaptive attacks. In this work, we propose a novel characterization to distinguish adversarial examples from benign ones based on the observation that adversarial examples are significantly less robust than benign ones. As existing robustness measurement does not scale to large networks, we propose a novel defense framework, named attack as defense (A2D), to detect adversarial examples by effectively evaluating an example’s robustness. A2D uses the cost of attacking an input for robustness evaluation and identifies those less robust examples as adversarial since less robust examples are easier to attack. Extensive experiment results on MNIST, CIFAR10 and ImageNet show that A2D is more effective than recent promising approaches. We also evaluate our defense against potential adaptive attacks and show that A2D is effective in defending carefully designed adaptive attacks, e.g., the attack success rate drops to 0% on CIFAR10.
format text
author ZHAO, Zhe
CHEN, Guangke
WANG, Jingyi
YANG, Yiwei
SONG, Fu
SUN, Jun
author_facet ZHAO, Zhe
CHEN, Guangke
WANG, Jingyi
YANG, Yiwei
SONG, Fu
SUN, Jun
author_sort ZHAO, Zhe
title Attack as defense: Characterizing adversarial examples using robustness
title_short Attack as defense: Characterizing adversarial examples using robustness
title_full Attack as defense: Characterizing adversarial examples using robustness
title_fullStr Attack as defense: Characterizing adversarial examples using robustness
title_full_unstemmed Attack as defense: Characterizing adversarial examples using robustness
title_sort attack as defense: characterizing adversarial examples using robustness
publisher Institutional Knowledge at Singapore Management University
publishDate 2021
url https://ink.library.smu.edu.sg/sis_research/6213
https://ink.library.smu.edu.sg/context/sis_research/article/7216/viewcontent/attack_as_defense.pdf
_version_ 1770575892517486592

Similar Items