A Geometrical Approach to Evaluate the Adversarial Robustness of Deep Neural Networks-Reference-Cited by-同舟云学术

A Geometrical Approach to Evaluate the Adversarial Robustness of Deep Neural Networks

Published:2023-06-07 Issue:5s Volume:19 Page:1-17
ISSN:1551-6857
Container-title:ACM Transactions on Multimedia Computing, Communications, and Applications
language:en
Short-container-title:ACM Trans. Multimedia Comput. Commun. Appl.

Author:

Wang Yang¹^ORCID,Dong Bo²^ORCID,Xu Ke³^ORCID,Piao Haiyin⁴^ORCID,Ding Yufei⁵^ORCID,Yin Baocai¹^ORCID,Yang Xin¹^ORCID

Affiliation:

1. Dalian University of Technology

2. Princeton University

3. City University of Hong Kong

4. Northwestern Polytechnical University

5. University of California, Santa Barbara

Abstract

Deep neural networks (DNNs) are widely used for computer vision tasks. However, it has been shown that deep models are vulnerable to adversarial attacks—that is, their performances drop when imperceptible perturbations are made to the original inputs, which may further degrade the following visual tasks or introduce new problems such as data and privacy security. Hence, metrics for evaluating the robustness of deep models against adversarial attacks are desired. However, previous metrics are mainly proposed for evaluating the adversarial robustness of shallow networks on the small-scale datasets. Although the Cross Lipschitz Extreme Value for nEtwork Robustness (CLEVER) metric has been proposed for large-scale datasets (e.g., the ImageNet dataset), it is computationally expensive and its performance relies on a tractable number of samples. In this article, we propose the Adversarial Converging Time Score (ACTS), an attack-dependent metric that quantifies the adversarial robustness of a DNN on a specific input. Our key observation is that local neighborhoods on a DNN’s output surface would have different shapes given different inputs. Hence, given different inputs, it requires different time for converging to an adversarial sample. Based on this geometry meaning, the ACTS measures the converging time as an adversarial robustness metric. We validate the effectiveness and generalization of the proposed ACTS metric against different adversarial attacks on the large-scale ImageNet dataset using state-of-the-art deep networks. Extensive experiments show that our ACTS metric is an efficient and effective adversarial metric over the previous CLEVER metric.

Funder

National Key Research and Development Program of China

National Natural Science Foundation of China

Distinguished Young Scholars Funding of Dalian

Publisher

Association for Computing Machinery (ACM)

Subject

Computer Networks and Communications,Hardware and Architecture

Link

https://dl.acm.org/doi/pdf/10.1145/3587936

Reference58 articles.

1. Threat of Adversarial Attacks on Deep Learning in Computer Vision: A Survey

2. Anish Athalye, Nicholas Carlini, and David Wagner. 2018. Obfuscated gradients give a false sense of security: Circumventing defenses to adversarial examples. In Proceedings of the International Conference on Machine Learning.

3. Anish Athalye, Logan Engstrom, Andrew Ilyas, and Kevin Kwok. 2018. Synthesizing robust adversarial examples. In Proceedings of the International Conference on Machine Learning.

4. Osbert Bastani, Yani Ioannou, Leonidas Lampropoulos, Dimitrios Vytiniotis, Aditya Nori, and Antonio Criminisi. 2016. Measuring neural net robustness with constraints. In Advances in Neural Information Processing Systems.

5. Dimensionality reduction as a defense against evasion attacks on machine learning classifiers;Bhagoji Arjun Nitin;arXiv:1704.02654,2017

Cited by 1 articles. 订阅此论文施引文献订阅此论文施引文献，注册后可以免费订阅5篇论文的施引文献，订阅后可以查看论文全部施引文献

1. Frame-Event Alignment and Fusion Network for High Frame Rate Tracking;2023 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR);2023-06