Using intuition from empirical properties to simplify adversarial training defense

Guanxiong Liu, Issa Khalil, Abdallah Khreishah

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Due to the surprisingly good representation power of complex distributions, neural network (NN) classifiers are widely used in many tasks which include natural language processing, computer vision and cyber security. In recent works, people noticed the existence of adversarial examples. These adversarial examples break the NN classifiers' underlying assumption that the environment is attack free and can easily mislead fully trained NN classifier without noticeable changes. Among defensive methods, adversarial training is a popular choice. However, original adversarial training with single-step adversarial examples (Single-Adv) can not defend against iterative adversarial examples. Although adversarial training with iterative adversarial examples (Iter-Adv) can defend against iterative adversarial examples, it consumes too much computational power and hence is not scalable. In this paper, we analyze Iter-Adv techniques and identify two of their empirical properties. Based on these properties, we propose modifications which enhance Single-Adv to perform competitively as Iter-Adv. Through preliminary evaluation, we show that the proposed method enhances the test accuracy of state-of-the-art (SOTA) Single-Adv defensive method against iterative adversarial examples by up to 16.93% while reducing its training cost by 28.75%.

Original languageEnglish
Title of host publicationProceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019
PublisherInstitute of Electrical and Electronics Engineers Inc.
Pages58-61
Number of pages4
ISBN (Electronic)9781728130309
DOIs
Publication statusPublished - 1 Jun 2019
Event49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019 - Portland, United States
Duration: 24 Jun 201927 Jun 2019

Publication series

NameProceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019

Conference

Conference49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019
CountryUnited States
CityPortland
Period24/6/1927/6/19

Fingerprint

Classifiers
Neural networks
Iterative methods
Computer vision
Processing
Costs

Keywords

  • adversarial example
  • adversarial training
  • neural network classifier

ASJC Scopus subject areas

  • Artificial Intelligence
  • Information Systems
  • Safety, Risk, Reliability and Quality

Cite this

Liu, G., Khalil, I., & Khreishah, A. (2019). Using intuition from empirical properties to simplify adversarial training defense. In Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019 (pp. 58-61). [8806015] (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSN-W.2019.00020

Using intuition from empirical properties to simplify adversarial training defense. / Liu, Guanxiong; Khalil, Issa; Khreishah, Abdallah.

Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019. Institute of Electrical and Electronics Engineers Inc., 2019. p. 58-61 8806015 (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Liu, G, Khalil, I & Khreishah, A 2019, Using intuition from empirical properties to simplify adversarial training defense. in Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019., 8806015, Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019, Institute of Electrical and Electronics Engineers Inc., pp. 58-61, 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019, Portland, United States, 24/6/19. https://doi.org/10.1109/DSN-W.2019.00020
Liu G, Khalil I, Khreishah A. Using intuition from empirical properties to simplify adversarial training defense. In Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019. Institute of Electrical and Electronics Engineers Inc. 2019. p. 58-61. 8806015. (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019). https://doi.org/10.1109/DSN-W.2019.00020
Liu, Guanxiong ; Khalil, Issa ; Khreishah, Abdallah. / Using intuition from empirical properties to simplify adversarial training defense. Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019. Institute of Electrical and Electronics Engineers Inc., 2019. pp. 58-61 (Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019).
@inproceedings{876a4001ae494df89b42a6d73d9aacef,
title = "Using intuition from empirical properties to simplify adversarial training defense",
abstract = "Due to the surprisingly good representation power of complex distributions, neural network (NN) classifiers are widely used in many tasks which include natural language processing, computer vision and cyber security. In recent works, people noticed the existence of adversarial examples. These adversarial examples break the NN classifiers' underlying assumption that the environment is attack free and can easily mislead fully trained NN classifier without noticeable changes. Among defensive methods, adversarial training is a popular choice. However, original adversarial training with single-step adversarial examples (Single-Adv) can not defend against iterative adversarial examples. Although adversarial training with iterative adversarial examples (Iter-Adv) can defend against iterative adversarial examples, it consumes too much computational power and hence is not scalable. In this paper, we analyze Iter-Adv techniques and identify two of their empirical properties. Based on these properties, we propose modifications which enhance Single-Adv to perform competitively as Iter-Adv. Through preliminary evaluation, we show that the proposed method enhances the test accuracy of state-of-the-art (SOTA) Single-Adv defensive method against iterative adversarial examples by up to 16.93{\%} while reducing its training cost by 28.75{\%}.",
keywords = "adversarial example, adversarial training, neural network classifier",
author = "Guanxiong Liu and Issa Khalil and Abdallah Khreishah",
year = "2019",
month = "6",
day = "1",
doi = "10.1109/DSN-W.2019.00020",
language = "English",
series = "Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
pages = "58--61",
booktitle = "Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019",

}

TY - GEN

T1 - Using intuition from empirical properties to simplify adversarial training defense

AU - Liu, Guanxiong

AU - Khalil, Issa

AU - Khreishah, Abdallah

PY - 2019/6/1

Y1 - 2019/6/1

N2 - Due to the surprisingly good representation power of complex distributions, neural network (NN) classifiers are widely used in many tasks which include natural language processing, computer vision and cyber security. In recent works, people noticed the existence of adversarial examples. These adversarial examples break the NN classifiers' underlying assumption that the environment is attack free and can easily mislead fully trained NN classifier without noticeable changes. Among defensive methods, adversarial training is a popular choice. However, original adversarial training with single-step adversarial examples (Single-Adv) can not defend against iterative adversarial examples. Although adversarial training with iterative adversarial examples (Iter-Adv) can defend against iterative adversarial examples, it consumes too much computational power and hence is not scalable. In this paper, we analyze Iter-Adv techniques and identify two of their empirical properties. Based on these properties, we propose modifications which enhance Single-Adv to perform competitively as Iter-Adv. Through preliminary evaluation, we show that the proposed method enhances the test accuracy of state-of-the-art (SOTA) Single-Adv defensive method against iterative adversarial examples by up to 16.93% while reducing its training cost by 28.75%.

AB - Due to the surprisingly good representation power of complex distributions, neural network (NN) classifiers are widely used in many tasks which include natural language processing, computer vision and cyber security. In recent works, people noticed the existence of adversarial examples. These adversarial examples break the NN classifiers' underlying assumption that the environment is attack free and can easily mislead fully trained NN classifier without noticeable changes. Among defensive methods, adversarial training is a popular choice. However, original adversarial training with single-step adversarial examples (Single-Adv) can not defend against iterative adversarial examples. Although adversarial training with iterative adversarial examples (Iter-Adv) can defend against iterative adversarial examples, it consumes too much computational power and hence is not scalable. In this paper, we analyze Iter-Adv techniques and identify two of their empirical properties. Based on these properties, we propose modifications which enhance Single-Adv to perform competitively as Iter-Adv. Through preliminary evaluation, we show that the proposed method enhances the test accuracy of state-of-the-art (SOTA) Single-Adv defensive method against iterative adversarial examples by up to 16.93% while reducing its training cost by 28.75%.

KW - adversarial example

KW - adversarial training

KW - neural network classifier

UR - http://www.scopus.com/inward/record.url?scp=85072024454&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85072024454&partnerID=8YFLogxK

U2 - 10.1109/DSN-W.2019.00020

DO - 10.1109/DSN-W.2019.00020

M3 - Conference contribution

T3 - Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019

SP - 58

EP - 61

BT - Proceedings - 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshop, DSN-W 2019

PB - Institute of Electrical and Electronics Engineers Inc.

ER -